Windows
Analysis Report
4JPKDcwtDo.exe
Overview
General Information
Sample name: | 4JPKDcwtDo.exerenamed because original name is a hash value |
Original sample name: | 5530e06db7d6818359bef99c53ebef57.exe |
Analysis ID: | 1599847 |
MD5: | 5530e06db7d6818359bef99c53ebef57 |
SHA1: | d43255e222c09a14f7e2cc205df120af573a15d2 |
SHA256: | d878e20cbf86109866c7fbd2ab840f58eb0927c526feed708b50d97c5bb9eff8 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
4JPKDcwtDo.exe (PID: 7120 cmdline:
"C:\Users\ user\Deskt op\4JPKDcw tDo.exe" MD5: 5530E06DB7D6818359BEF99C53EBEF57) WerFault.exe (PID: 7656 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 120 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
Click to see the 2 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:47:59.794618+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.349618+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:02.600271+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:03.829022+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49703 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:05.459225+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49705 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:06.974006+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49711 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:08.667496+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49722 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:11.847642+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:48:00.859158+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.865980+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:12.337047+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:48:00.859158+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:48:01.865980+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:47:59.794618+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.349618+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:02.600271+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:03.829022+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49703 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:05.459225+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49705 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:06.974006+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49711 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:08.667496+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49722 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:11.847642+0100 | 2059424 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:47:59.155701+0100 | 2059421 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 53091 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:47:59.169214+0100 | 2059423 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 58904 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:48:03.207759+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 | |
Source: | Code function: | 4_3_0070DDF8 |
Source: | Process created: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_0070C97A | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 | |
Source: | Code function: | 4_3_00716EC8 |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 4 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 13 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 22 Software Packing | NTDS | 22 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
61% | ReversingLabs | Win32.Trojan.GenSHCode | ||
57% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
toppyneedus.biz | 172.67.149.66 | true | false | high | |
impolitewearr.biz | unknown | unknown | false | high | |
financialfreez.click | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.149.66 | toppyneedus.biz | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1599847 |
Start date and time: | 2025-01-26 15:47:01 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 4JPKDcwtDo.exerenamed because original name is a hash value |
Original Sample Name: | 5530e06db7d6818359bef99c53ebef57.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@2/5@3/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WerFault.exe, WMIA DAP.exe, SIHClient.exe, SgrmBr oker.exe, conhost.exe, svchost .exe - Excluded IPs from analysis (wh
itelisted): 20.189.173.20, 13. 107.246.45, 4.175.87.197, 40.1 26.32.138, 20.12.23.50 - Excluded domains from analysis
(whitelisted): otelrules.azur eedge.net, slscr.update.micros oft.com, login.live.com, blobc ollector.events.data.trafficma nager.net, onedsblobprdwus15.w estus.cloudapp.azure.com, ctld l.windowsupdate.com, umwatson. events.data.microsoft.com, tim e.windows.com, fe3cr.delivery. mp.microsoft.com - Execution Graph export aborted
for target 4JPKDcwtDo.exe, PI D 7120 because there are no ex ecuted function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Some HTTPS proxied raw data pa
ckets have been limited to 10 per session. Please view the P CAPs for the complete data.
Time | Type | Description |
---|---|---|
09:47:57 | API Interceptor | |
10:58:00 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
172.67.149.66 | Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse | ||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC Stealer, Matanbuchus | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | Amadey, LummaC Stealer, PureLog Stealer, RedLine | Browse | |||
Get hash | malicious | Amadey, Babadeda, Credential Flusher, LummaC Stealer, Stealc | Browse | |||
Get hash | malicious | Amadey, Babadeda, Credential Flusher, DarkTortilla, LummaC Stealer, Stealc | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
toppyneedus.biz | Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse |
| |
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer, PureLog Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer, Matanbuchus | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse |
| |
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse |
| |
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0283699079067659 |
Encrypted: | false |
SSDEEP: | 96:cyFT8GUsnhpl7EfKQXIDcQ1c6McE7cw3NYrx+HbHg/PB6HeaOy1E45WAU6NCUtWo:d8GUr0rIx5JjG3mJIzuiFAZ24IO8iZ |
MD5: | C1F2ADE798E9F747ECD2BDA5B8F1133E |
SHA1: | 62E1E0445FE572B521A5DFB576522855FC5CD0FF |
SHA-256: | 3E653F7A0E099054DF9A37732C037F71DA637F3B13A148DB5B1B398FFBC3BDB5 |
SHA-512: | CC7B2E9AE56F93247C24D39D0D17F555D4C6DEF58825BC39BFAC8C2E167D2C0AADDB413B7202128DCB59BD781E36781E26E4C4C7EC974BEA69224B522782A78E |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48890 |
Entropy (8bit): | 2.577551863525538 |
Encrypted: | false |
SSDEEP: | 192:ljlyXbMzY2SGKeZzeOZ1BSSnqh/LYqC5gNczif2D7/cqxl7lnuCXH1/2sLSb+:sMzY2SGKeZzZrB7EYoCrttzXVJSb+ |
MD5: | 5126249BABB8639F168B5BD7DCBF5C7E |
SHA1: | 47730E341A34710AE12C00BCC85E2E5A2E3AA438 |
SHA-256: | 6217260ADCD576D8E4C96AA3AFA271468582858B494006C3ED02DAA7E484D05B |
SHA-512: | 774F698B46724AADFDA6A82F033ABA92DB955F0F6654D3F257D42661A6C11FBFE31AE80626A99E41FA7C1FFE507E07486FAF3D41CE0BBB4BC1065ED600C757B2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8324 |
Entropy (8bit): | 3.6990357664182154 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJXj6Ixg6YNpSU+egmfppApDw89bgYsfNAm:R6lXJz6IW6YzSU+egmfp+gLff |
MD5: | 2B3C76D210D7BF03BC9E706ABF219C24 |
SHA1: | 8C5DB74D41C7681B28ED01F161BF31B5D17A4D6A |
SHA-256: | F8E7BCA38678D5A9EF04B871EEBFF06C0CBE8E28F2582033E6510408B0A71CE6 |
SHA-512: | 24B2161F46EB51BD5EA4239A9A514BE17CBB2956CC7B7E5D6B800E36E2EF1C8DC332CFC705FC436FDC9BC4055DB3CEE434E606BCF8B41F08AD650C8568EF7BDD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4579 |
Entropy (8bit): | 4.475600652360879 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsrJg77aI952WpW8VYcYm8M4J4YFu+q8cPHN0A0Wd:uIjfFI7DX7VYJmJytWd |
MD5: | B540B25D56A7D2A16016B7DD663753D9 |
SHA1: | 5F82550C80047567E0648000351EB82B5557D5B7 |
SHA-256: | 62BB4652A8F6B9A9ADE987A6E9E37AB52D5EF86B9721AAB027A2B5AA149D9EAA |
SHA-512: | B7B2D997672CE9AF0EDDA101AD04FB0DD88E159F4DA431FC0F290C84D6219909DE82BA0DBA6C0254408A9ACFBCFAC731B752FF8999121031EC655E13FEBF3210 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.416653773529352 |
Encrypted: | false |
SSDEEP: | 6144:hcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNp5+:+i58oSWIZBk2MM6AFB7o |
MD5: | 870F21E95D3BD9195535A694D2FADD46 |
SHA1: | 280A76E6D730FC50D96F6778E979E9160D56161E |
SHA-256: | 0BAB4D81556B0CF4979197140E702400CACEBBE3652468F8D690C4706434606E |
SHA-512: | 8BF9894C66F5A70CC7D07C0B2ACB122BED9932079C7BDB0B772EF47889A77C7DE72694B9FE2533D9A5B4F0543F2E63003FB00C40C5C5B0AA96E92B9FFD8C1DA6 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.669497053557433 |
TrID: |
|
File name: | 4JPKDcwtDo.exe |
File size: | 400'384 bytes |
MD5: | 5530e06db7d6818359bef99c53ebef57 |
SHA1: | d43255e222c09a14f7e2cc205df120af573a15d2 |
SHA256: | d878e20cbf86109866c7fbd2ab840f58eb0927c526feed708b50d97c5bb9eff8 |
SHA512: | 13b71094147451fd3419dc5e9ab735e8bf49debeeb1fea222275b10c6aa6aadf006650b91c2f4eca67f70251ba1acacf0a8262090c5e4650b2153e6b373c9d8c |
SSDEEP: | 3072:1XtJ94LTt1ffUPNCi/ijoEUz0Qa3fSbPbNh8um6fLea54bY94HPy31lcqpo9fq5t:19JmPf9obYrfSbjguz5J9Oy3Dch9 |
TLSH: | E6845B1282A17D54EA265B729E1EC6E8670EF7E18F897BB532189ADF0CB0171C173F50 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`8...VA..VA..VA+N.A..VA.S.A..VA.S.A..VA.S.A..VA..-A..VA..WA..VA.S.A..VA.S.A..VA.S.A..VARich..VA........................PE..L.. |
Icon Hash: | 738733b18ba383e4 |
Entrypoint: | 0x401926 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6609CEBF [Sun Mar 31 20:59:43 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | c1ad5d94a080d1479358f349f9710f1a |
Instruction |
---|
call 00007FA60D5810DEh |
jmp 00007FA60D57D01Dh |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [004472B0h], eax |
mov dword ptr [004472ACh], ecx |
mov dword ptr [004472A8h], edx |
mov dword ptr [004472A4h], ebx |
mov dword ptr [004472A0h], esi |
mov dword ptr [0044729Ch], edi |
mov word ptr [004472C8h], ss |
mov word ptr [004472BCh], cs |
mov word ptr [00447298h], ds |
mov word ptr [00447294h], es |
mov word ptr [00447290h], fs |
mov word ptr [0044728Ch], gs |
pushfd |
pop dword ptr [004472C0h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [004472B4h], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [004472B8h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [004472C4h], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [00447200h], 00010001h |
mov eax, dword ptr [004472B8h] |
mov dword ptr [004471B4h], eax |
mov dword ptr [004471A8h], C0000409h |
mov dword ptr [004471ACh], 00000001h |
mov eax, dword ptr [00446008h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [0044600Ch] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [000000D8h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x44b1c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb3000 | 0x18208 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x43000 | 0x198 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x41710 | 0x41800 | 829bb93d31cd2773a7f15bd3ce69b393 | False | 0.8269546159351145 | data | 7.433590009651865 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x43000 | 0x2444 | 0x2600 | 653859e6cc6c4a478f73bc157a2b2c24 | False | 0.36543996710526316 | data | 5.353629372033153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x46000 | 0x6c8e0 | 0x5600 | 134411ba5e3cdaf22aff6266102b03ac | False | 0.043740915697674417 | data | 0.5266503152859804 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xb3000 | 0x18208 | 0x18400 | 358d317c61d0482b9cbb56388c22f000 | False | 0.3354139819587629 | data | 4.243766736540801 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xb3810 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | India | 0.27078891257995735 |
RT_ICON | 0xb3810 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | Sri Lanka | 0.27078891257995735 |
RT_ICON | 0xb46b8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | India | 0.4120036101083033 |
RT_ICON | 0xb46b8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | Sri Lanka | 0.4120036101083033 |
RT_ICON | 0xb4f60 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | India | 0.532258064516129 |
RT_ICON | 0xb4f60 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | Sri Lanka | 0.532258064516129 |
RT_ICON | 0xb5628 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | India | 0.5744219653179191 |
RT_ICON | 0xb5628 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | Sri Lanka | 0.5744219653179191 |
RT_ICON | 0xb5b90 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | India | 0.4224066390041494 |
RT_ICON | 0xb5b90 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | Sri Lanka | 0.4224066390041494 |
RT_ICON | 0xb8138 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | India | 0.4971311475409836 |
RT_ICON | 0xb8138 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | Sri Lanka | 0.4971311475409836 |
RT_ICON | 0xb8ac0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | India | 0.499113475177305 |
RT_ICON | 0xb8ac0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | Sri Lanka | 0.499113475177305 |
RT_ICON | 0xb8f90 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Tamil | India | 0.3355543710021322 |
RT_ICON | 0xb8f90 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Tamil | Sri Lanka | 0.3355543710021322 |
RT_ICON | 0xb9e38 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Tamil | India | 0.4002707581227437 |
RT_ICON | 0xb9e38 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Tamil | Sri Lanka | 0.4002707581227437 |
RT_ICON | 0xba6e0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Tamil | India | 0.39631336405529954 |
RT_ICON | 0xba6e0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Tamil | Sri Lanka | 0.39631336405529954 |
RT_ICON | 0xbada8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Tamil | India | 0.398121387283237 |
RT_ICON | 0xbada8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Tamil | Sri Lanka | 0.398121387283237 |
RT_ICON | 0xbb310 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Tamil | India | 0.22157676348547717 |
RT_ICON | 0xbb310 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Tamil | Sri Lanka | 0.22157676348547717 |
RT_ICON | 0xbd8b8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Tamil | India | 0.24859287054409004 |
RT_ICON | 0xbd8b8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Tamil | Sri Lanka | 0.24859287054409004 |
RT_ICON | 0xbe960 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Tamil | India | 0.27909836065573773 |
RT_ICON | 0xbe960 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Tamil | Sri Lanka | 0.27909836065573773 |
RT_ICON | 0xbf2e8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Tamil | India | 0.3147163120567376 |
RT_ICON | 0xbf2e8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Tamil | Sri Lanka | 0.3147163120567376 |
RT_ICON | 0xbf7c8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | India | 0.30223880597014924 |
RT_ICON | 0xbf7c8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | Sri Lanka | 0.30223880597014924 |
RT_ICON | 0xc0670 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | India | 0.40478339350180503 |
RT_ICON | 0xc0670 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | Sri Lanka | 0.40478339350180503 |
RT_ICON | 0xc0f18 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | India | 0.44642857142857145 |
RT_ICON | 0xc0f18 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | Sri Lanka | 0.44642857142857145 |
RT_ICON | 0xc15e0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | India | 0.4407514450867052 |
RT_ICON | 0xc15e0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | Sri Lanka | 0.4407514450867052 |
RT_ICON | 0xc1b48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Tamil | India | 0.24601313320825516 |
RT_ICON | 0xc1b48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Tamil | Sri Lanka | 0.24601313320825516 |
RT_ICON | 0xc2bf0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | India | 0.25 |
RT_ICON | 0xc2bf0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | Sri Lanka | 0.25 |
RT_ICON | 0xc3578 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | India | 0.3147163120567376 |
RT_ICON | 0xc3578 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | Sri Lanka | 0.3147163120567376 |
RT_ICON | 0xc3a48 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | India | 0.2747867803837953 |
RT_ICON | 0xc3a48 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Tamil | Sri Lanka | 0.2747867803837953 |
RT_ICON | 0xc48f0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | India | 0.3677797833935018 |
RT_ICON | 0xc48f0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Tamil | Sri Lanka | 0.3677797833935018 |
RT_ICON | 0xc5198 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | India | 0.37672811059907835 |
RT_ICON | 0xc5198 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | Sri Lanka | 0.37672811059907835 |
RT_ICON | 0xc5860 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | India | 0.37283236994219654 |
RT_ICON | 0xc5860 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Tamil | Sri Lanka | 0.37283236994219654 |
RT_ICON | 0xc5dc8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | India | 0.25881742738589214 |
RT_ICON | 0xc5dc8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | Sri Lanka | 0.25881742738589214 |
RT_ICON | 0xc8370 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Tamil | India | 0.275562851782364 |
RT_ICON | 0xc8370 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Tamil | Sri Lanka | 0.275562851782364 |
RT_ICON | 0xc9418 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | India | 0.2881147540983607 |
RT_ICON | 0xc9418 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Tamil | Sri Lanka | 0.2881147540983607 |
RT_ICON | 0xc9da0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | India | 0.32180851063829785 |
RT_ICON | 0xc9da0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | Sri Lanka | 0.32180851063829785 |
RT_STRING | 0xca448 | 0x58 | data | 0.6590909090909091 | ||
RT_STRING | 0xca4a0 | 0x57e | data | 0.4423897581792319 | ||
RT_STRING | 0xcaa20 | 0x726 | data | 0.4191256830601093 | ||
RT_STRING | 0xcb148 | 0xc0 | data | 0.5885416666666666 | ||
RT_ACCELERATOR | 0xca280 | 0x10 | data | 1.5 | ||
RT_GROUP_ICON | 0xb8f28 | 0x68 | data | Tamil | India | 0.7115384615384616 |
RT_GROUP_ICON | 0xb8f28 | 0x68 | data | Tamil | Sri Lanka | 0.7115384615384616 |
RT_GROUP_ICON | 0xca208 | 0x76 | data | Tamil | India | 0.6779661016949152 |
RT_GROUP_ICON | 0xca208 | 0x76 | data | Tamil | Sri Lanka | 0.6779661016949152 |
RT_GROUP_ICON | 0xbf750 | 0x76 | data | Tamil | India | 0.6779661016949152 |
RT_GROUP_ICON | 0xbf750 | 0x76 | data | Tamil | Sri Lanka | 0.6779661016949152 |
RT_GROUP_ICON | 0xc39e0 | 0x68 | data | Tamil | India | 0.7211538461538461 |
RT_GROUP_ICON | 0xc39e0 | 0x68 | data | Tamil | Sri Lanka | 0.7211538461538461 |
RT_VERSION | 0xca290 | 0x1b4 | data | 0.5665137614678899 |
DLL | Import |
---|---|
KERNEL32.dll | SearchPathW, OpenFile, GetConsoleAliasesLengthW, TlsGetValue, DebugActiveProcessStop, GetDefaultCommConfigW, CreateProcessW, InterlockedIncrement, MoveFileExW, GetEnvironmentStringsW, InterlockedCompareExchange, GetTimeFormatA, CallNamedPipeW, FreeEnvironmentStringsA, GetModuleHandleW, GetDateFormatA, EnumTimeFormatsW, GetVolumePathNameW, GetEnvironmentStrings, SetVolumeLabelA, GetAtomNameW, DeactivateActCtx, GetStartupInfoA, SetLastError, GetLongPathNameA, SetComputerNameA, BuildCommDCBW, GetAtomNameA, LocalAlloc, MoveFileA, SetConsoleDisplayMode, AddAtomW, VirtualProtect, Module32Next, FileTimeToLocalFileTime, DeleteTimerQueueTimer, OpenFileMappingA, GetProfileSectionW, LoadLibraryW, GetCommandLineW, GetLastError, HeapFree, HeapReAlloc, HeapAlloc, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameA, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA |
GDI32.dll | GetBitmapBits |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Tamil | India | |
Tamil | Sri Lanka |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-26T15:47:59.155701+0100 | 2059421 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) | 1 | 192.168.2.7 | 53091 | 1.1.1.1 | 53 | UDP |
2025-01-26T15:47:59.169214+0100 | 2059423 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) | 1 | 192.168.2.7 | 58904 | 1.1.1.1 | 53 | UDP |
2025-01-26T15:47:59.794618+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:47:59.794618+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:00.859158+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:00.859158+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.349618+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.349618+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.865980+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:01.865980+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:02.600271+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:02.600271+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:03.207759+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:03.829022+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49703 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:03.829022+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49703 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:05.459225+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49705 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:05.459225+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49705 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:06.974006+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49711 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:06.974006+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49711 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:08.667496+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49722 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:08.667496+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49722 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:11.847642+0100 | 2059424 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) | 1 | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:11.847642+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
2025-01-26T15:48:12.337047+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | TCP |
- Total Packets: 103
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 26, 2025 15:47:59.186034918 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:47:59.186085939 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:47:59.186151028 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:47:59.189582109 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:47:59.189614058 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:47:59.794538975 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:47:59.794617891 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:47:59.798407078 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:47:59.798420906 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:47:59.798768997 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:47:59.843177080 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.113369942 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.113416910 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.113578081 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.859188080 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.859296083 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.859365940 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.861236095 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.861254930 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.861270905 CET | 49700 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.861278057 CET | 443 | 49700 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.871609926 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.871659994 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:00.871737003 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.872083902 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:00.872097015 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.349514008 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.349617958 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.352233887 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.352248907 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.352539062 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.354674101 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.354707003 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.354751110 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.865986109 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866034985 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866061926 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866097927 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866107941 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.866137981 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866156101 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.866198063 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866239071 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.866250038 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866596937 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.866637945 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.866643906 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.870748043 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.870774984 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.870798111 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.870804071 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.870806932 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.870852947 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.921333075 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.955650091 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.955838919 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.955892086 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.955913067 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.956074953 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.956147909 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.956233978 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.956248999 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:01.956260920 CET | 49701 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:01.956265926 CET | 443 | 49701 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.126146078 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.126190901 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.126274109 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.126719952 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.126735926 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.599946976 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.600270987 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.601408005 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.601418972 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.601671934 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:02.606173992 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.606390953 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:02.606421947 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.207815886 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.208060026 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.208170891 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.224893093 CET | 49702 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.224917889 CET | 443 | 49702 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.336381912 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.336441994 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.336539984 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.336961031 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.336971998 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.828830957 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.829021931 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.831636906 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.831669092 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.832969904 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.834475040 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.834652901 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.834744930 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:03.834820032 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:03.834836006 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:04.707654953 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:04.707926035 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:04.709203005 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:04.709203005 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:04.967444897 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:04.967492104 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:04.968055010 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:04.968055010 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:04.968092918 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.015265942 CET | 49703 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.015377998 CET | 443 | 49703 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.459119081 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.459224939 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.460684061 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.460694075 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.461020947 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.462308884 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.462503910 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.462531090 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:05.462610960 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:05.462615967 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.110047102 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.110141993 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.110287905 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.110513926 CET | 49705 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.110529900 CET | 443 | 49705 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.477710009 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.477763891 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.477889061 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.478270054 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.478286028 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.973870993 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.974005938 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.975423098 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.975438118 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.975702047 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:06.977153063 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.977328062 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:06.977359056 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:07.480041981 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:07.480129957 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:07.480184078 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:07.480350018 CET | 49711 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:07.480367899 CET | 443 | 49711 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.146831989 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.146873951 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.146944046 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.147234917 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.147245884 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.667402983 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.667495966 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.669188976 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.669200897 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.669451952 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.670917034 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.671912909 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.671952963 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672080994 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672107935 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672276020 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672321081 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672452927 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672483921 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672652960 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672672987 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672844887 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672863007 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.672871113 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.672883034 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.673027039 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.673042059 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.673065901 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.673203945 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.673223972 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.682063103 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.682274103 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.682301998 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.682327986 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.682343960 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:08.682373047 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:08.686885118 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.270473003 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.270642042 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.270699978 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.270843029 CET | 49722 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.270848989 CET | 443 | 49722 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.321877003 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.321922064 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.322006941 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.322370052 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.322386980 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.847553968 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.847641945 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.849133968 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.849144936 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.849400043 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:11.850790977 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.850825071 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:11.850856066 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:12.337049007 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:12.337142944 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:12.337233067 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:12.337462902 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:12.337486982 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Jan 26, 2025 15:48:12.337497950 CET | 49746 | 443 | 192.168.2.7 | 172.67.149.66 |
Jan 26, 2025 15:48:12.337505102 CET | 443 | 49746 | 172.67.149.66 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 26, 2025 15:47:59.140929937 CET | 55855 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 26, 2025 15:47:59.150487900 CET | 53 | 55855 | 1.1.1.1 | 192.168.2.7 |
Jan 26, 2025 15:47:59.155700922 CET | 53091 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 26, 2025 15:47:59.166166067 CET | 53 | 53091 | 1.1.1.1 | 192.168.2.7 |
Jan 26, 2025 15:47:59.169214010 CET | 58904 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 26, 2025 15:47:59.180417061 CET | 53 | 58904 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 26, 2025 15:47:59.140929937 CET | 192.168.2.7 | 1.1.1.1 | 0x39e0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 26, 2025 15:47:59.155700922 CET | 192.168.2.7 | 1.1.1.1 | 0x1d2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 26, 2025 15:47:59.169214010 CET | 192.168.2.7 | 1.1.1.1 | 0xa18f | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 26, 2025 15:47:59.150487900 CET | 1.1.1.1 | 192.168.2.7 | 0x39e0 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Jan 26, 2025 15:47:59.166166067 CET | 1.1.1.1 | 192.168.2.7 | 0x1d2 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Jan 26, 2025 15:47:59.180417061 CET | 1.1.1.1 | 192.168.2.7 | 0xa18f | No error (0) | 172.67.149.66 | A (IP address) | IN (0x0001) | false | ||
Jan 26, 2025 15:47:59.180417061 CET | 1.1.1.1 | 192.168.2.7 | 0xa18f | No error (0) | 104.21.29.142 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49700 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:00 UTC | 262 | OUT | |
2025-01-26 14:48:00 UTC | 8 | OUT | |
2025-01-26 14:48:00 UTC | 1122 | IN | |
2025-01-26 14:48:00 UTC | 7 | IN | |
2025-01-26 14:48:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49701 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:01 UTC | 263 | OUT | |
2025-01-26 14:48:01 UTC | 42 | OUT | |
2025-01-26 14:48:01 UTC | 1124 | IN | |
2025-01-26 14:48:01 UTC | 245 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN | |
2025-01-26 14:48:01 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.7 | 49702 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:02 UTC | 276 | OUT | |
2025-01-26 14:48:02 UTC | 12809 | OUT | |
2025-01-26 14:48:03 UTC | 1134 | IN | |
2025-01-26 14:48:03 UTC | 20 | IN | |
2025-01-26 14:48:03 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.7 | 49703 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:03 UTC | 280 | OUT | |
2025-01-26 14:48:03 UTC | 15065 | OUT | |
2025-01-26 14:48:04 UTC | 1130 | IN | |
2025-01-26 14:48:04 UTC | 20 | IN | |
2025-01-26 14:48:04 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.7 | 49705 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:05 UTC | 274 | OUT | |
2025-01-26 14:48:05 UTC | 15331 | OUT | |
2025-01-26 14:48:05 UTC | 5023 | OUT | |
2025-01-26 14:48:06 UTC | 1127 | IN | |
2025-01-26 14:48:06 UTC | 20 | IN | |
2025-01-26 14:48:06 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.7 | 49711 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:06 UTC | 273 | OUT | |
2025-01-26 14:48:06 UTC | 2595 | OUT | |
2025-01-26 14:48:07 UTC | 1126 | IN | |
2025-01-26 14:48:07 UTC | 20 | IN | |
2025-01-26 14:48:07 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.7 | 49722 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:08 UTC | 273 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:08 UTC | 15331 | OUT | |
2025-01-26 14:48:11 UTC | 1137 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.7 | 49746 | 172.67.149.66 | 443 | 7120 | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-26 14:48:11 UTC | 263 | OUT | |
2025-01-26 14:48:11 UTC | 77 | OUT | |
2025-01-26 14:48:12 UTC | 1125 | IN | |
2025-01-26 14:48:12 UTC | 54 | IN | |
2025-01-26 14:48:12 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 4 |
Start time: | 09:47:57 |
Start date: | 26/01/2025 |
Path: | C:\Users\user\Desktop\4JPKDcwtDo.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 400'384 bytes |
MD5 hash: | 5530E06DB7D6818359BEF99C53EBEF57 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 11 |
Start time: | 09:48:11 |
Start date: | 26/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x690000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|