Windows
Analysis Report
h226x41CQ6.exe
Overview
General Information
Sample name: | h226x41CQ6.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original sample name: | fc8506934f3f379af5f36cdccb0c17ca |
Analysis ID: | 1600405 |
MD5: | fc8506934f3f379af5f36cdccb0c17ca |
SHA1: | 3bccadfcc48c2116389c53714e3be076592731b4 |
SHA256: | 5bd0a7c399000541ab5f7398af02d5ced96e4f3adcea59a63c35dcf890bdc8de |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
h226x41CQ6.exe (PID: 7260 cmdline:
"C:\Users\ user\Deskt op\h226x41 CQ6.exe" MD5: FC8506934F3F379AF5F36CDCCB0C17CA) h226x41CQ6.exe (PID: 7392 cmdline:
"C:\Users\ user\Deskt op\h226x41 CQ6.exe" MD5: FC8506934F3F379AF5F36CDCCB0C17CA) WerFault.exe (PID: 7572 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 260 -s 260 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{
"C2 url": [
"pioneeruyj.sbs",
"nervepianoyo.sbs",
"conceptionnyi.sbs",
"fightyglobo.sbs",
"modellydivi.sbs",
"smashygally.sbs",
"platformcati.sbs",
"qualifielgalt.sbs"
],
"Build id": "H8NgCl--"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 4 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:13.879270+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.356568+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:16.739157+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49705 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:40.121324+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49838 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:41.576040+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49849 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:43.214282+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:46.133395+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49871 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:48.988318+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:14.198569+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.863766+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:49.797125+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:14.198569+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:15.863766+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:13.879270+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.356568+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:16.739157+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49705 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:40.121324+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49838 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:41.576040+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49849 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:43.214282+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:46.133395+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49871 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:48.988318+0100 | 2056707 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:13.379336+0100 | 2056706 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 61325 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:45.046611+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | DNS query: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 111 Process Injection | 12 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 Query Registry | Remote Services | 41 Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 111 Process Injection | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | Virustotal | Browse | ||
87% | ReversingLabs | Win32.Trojan.Multiverze | ||
100% | Avira | HEUR/AGEN.1305290 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
platformcati.sbs | 104.21.112.1 | true | true | unknown | |
itsrevolutionmagnus.xyz | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.112.1 | platformcati.sbs | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1600405 |
Start date and time: | 2025-01-27 14:53:17 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | h226x41CQ6.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original Sample Name: | fc8506934f3f379af5f36cdccb0c17ca |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/5@2/1 |
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, WerFau lt.exe, WMIADAP.exe, SIHClient .exe, SgrmBroker.exe, conhost. exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 52.168.117.173, 40 .126.32.72, 13.107.253.45, 4.1 75.87.197 - Excluded domains from analysis
(whitelisted): onedsblobprdeu s16.eastus.cloudapp.azure.com, login.live.com, otelrules.azu reedge.net, slscr.update.micro soft.com, blobcollector.events .data.trafficmanager.net, ctld l.windowsupdate.com, umwatson. events.data.microsoft.com, tim e.windows.com, fe3cr.delivery. mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Some HTTPS proxied raw data pa
ckets have been limited to 10 per session. Please view the P CAPs for the complete data.
Time | Type | Description |
---|---|---|
08:54:13 | API Interceptor | |
10:01:18 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.112.1 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
platformcati.sbs | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | TechSupportScam | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | Qbot | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PureLog Stealer, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | SmokeLoader | Browse |
| |
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer, PureLog Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer, PureLog Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, Stealc | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6585768723965039 |
Encrypted: | false |
SSDEEP: | 96:0kuFNdFYsyh3oI7Rq6tQXIDcQvc6QcEVcw3cE/9kM+HbHg/5hZAX/d5FMT2SlPkS:AfdFYK0BU/YjhzuiFMZ24IO83A |
MD5: | B23A8E06A4632EC68E703C702AAA61E9 |
SHA1: | C9D79C61859C6E8EDCEB6207E6D4D057AC0E5BF0 |
SHA-256: | DC46726A4DDE48D22FAC13A5080C9D7DC19C581880E5C39370206BFF1C1D4E4D |
SHA-512: | 55DAC05335CAD3E67CE5E668DB714939C1D504084C0C8B0F96347C8D165CD6D33B6F0956AB15F577EF49D3394759504AE2536C41F451A2054D47B66D7CDB0FF1 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32288 |
Entropy (8bit): | 1.7259724286111786 |
Encrypted: | false |
SSDEEP: | 96:5k8E7pFHyn/SJmVzJ0ti77hQzuiM8RsgJZ2p1u1TAerXWI9RWIySb4y0t84Wd/:NOOnldwOWHRspapAer3Ay0tTWd/ |
MD5: | DC336BBA1AABFF4D9C8435F4CB4920C3 |
SHA1: | FBDD6EE50ED0D2A52108566821AC3E04A546F1F3 |
SHA-256: | 017B3E4F9C0D9E3FFBAA6305CBD153C74AA1C70C77D8C222814C612D807388E2 |
SHA-512: | EF7282127FDB68DAD96B43F3ED858A4801BFB7331E697097F0E25F350C5318C60783F9D1562A2E916ECA9377C56899F280DDF38766428CCA5A3E9FF3A47CA9E0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8402 |
Entropy (8bit): | 3.7010235130898055 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJd46x6YNmvSU7agmfkGprx89biVsfh7Wm:R6lXJS6x6YIvSU7agmfkNiufhz |
MD5: | E44E9FF06F578EA3637ADB5831B00506 |
SHA1: | 9DA4933F7878BF9155C01CA67FFD89C84FBB97CE |
SHA-256: | 8B88D09F0DE47A40587B6248F3A6398B5CA9BA13373FDFEC75C9A2530DF917D6 |
SHA-512: | 49BBA59092A9468F45AA13B05836FE61073EDE640EBD1B99974553DB5D34AAA96A4BF5328248D3247CA7CB9A75BA3A32B0CF9628E10B50A217FD99348D2C4768 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4720 |
Entropy (8bit): | 4.480857344817235 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsLrJg77aI9F6WpW8VY2Ym8M4Jg83iEFY+q8vh3ik7yzvzId:uIjfLFI7b77VKJXGKBz4bId |
MD5: | AFE5AA97CE747AE120BE36E3AF1F78B1 |
SHA1: | 7363D0EC300046034E50E6510825E4BE4A382032 |
SHA-256: | B0637E476BD9B9746FA53068D3D5B1C3A23C39287FADA5ABBCC153D785482050 |
SHA-512: | 9D4197C28AB09C157A91DBDC65959D0DB6CAA6967AD031EE4262774E00DC63B7D225344171F4FC50E1125115D8A7DCFD9C1AC7982DEB3BFC9438929220060DD4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.416673673402909 |
Encrypted: | false |
SSDEEP: | 6144:Ccifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNW5+:vi58oSWIZBk2MM6AFBYo |
MD5: | 3BEF5D0303B47AAD2E6170BC4F63C236 |
SHA1: | 532B7ACDCCB0FC28D83B7CE9EAE46FF8B5E8675C |
SHA-256: | 62AB5F4D836B2ACEC01349010C7879B7EED7D71BA8AB2818C02DC1CF176EC62A |
SHA-512: | DD0EE1580E3CEDE8460317D107FAAF7D7619341F262D80349D6B5BDD572086DFD7E00BE1EDA79E268BA2CBF991F59CBCEE4355524FBDBD855396DDDDA2135821 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.677322192663024 |
TrID: |
|
File name: | h226x41CQ6.exe |
File size: | 491'048 bytes |
MD5: | fc8506934f3f379af5f36cdccb0c17ca |
SHA1: | 3bccadfcc48c2116389c53714e3be076592731b4 |
SHA256: | 5bd0a7c399000541ab5f7398af02d5ced96e4f3adcea59a63c35dcf890bdc8de |
SHA512: | fdf07feaaa7429948fe406d48446bf56eb0b8ffbc28aab0e8c6b07f07efd1b28510145f08018a8b72d242afe2d743ca69e8ef238c1af1ed4dba1389529df96c9 |
SSDEEP: | 6144:4SXqWHJut4OcfDdJc2CSe5xyMUq27fqAytMYbUMPFr5pOUkMQZsHyRZJT33oEO:FXqWrOQb2ZUHfqAyTUMLUMQhZ33oEO |
TLSH: | C6A4120675C0C072E9664A328870DBF19B7CFC344F605EDF33995A7A9FA43C24A1696B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Nzu..............i.......i.......i.......i..........^.......................#...B.......B.......B.......Rich................... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x401d29 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6713A8A8 [Sat Oct 19 12:40:08 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 12fb41fe7c2715179030b9cdaa5263a9 |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 5F1B6B6C408DB2B4D60BAA489E9A0E5A |
Thumbprint SHA-1: | 15F760D82C79D22446CC7D4806540BF632B1E104 |
Thumbprint SHA-256: | 28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D |
Serial: | 0997C56CAA59055394D9A9CDB8BEEB56 |
Instruction |
---|
call 00007FE240F6D62Dh |
jmp 00007FE240F6D0BFh |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [00414014h] |
push dword ptr [ebp+08h] |
call dword ptr [00414010h] |
push C0000409h |
call dword ptr [00414018h] |
push eax |
call dword ptr [0041401Ch] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call dword ptr [00414020h] |
test eax, eax |
je 00007FE240F6D247h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [00471088h], eax |
mov dword ptr [00471084h], ecx |
mov dword ptr [00471080h], edx |
mov dword ptr [0047107Ch], ebx |
mov dword ptr [00471078h], esi |
mov dword ptr [00471074h], edi |
mov word ptr [004710A0h], ss |
mov word ptr [00471094h], cs |
mov word ptr [00471070h], ds |
mov word ptr [0047106Ch], es |
mov word ptr [00471068h], fs |
mov word ptr [00471064h], gs |
pushfd |
pop dword ptr [00471098h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0047108Ch], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00471090h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [0047109Ch], eax |
mov eax, dword ptr [ebp-00000324h] |
mov dword ptr [00470FD8h], 00010001h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1a6b8 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x72000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x75800 | 0x2628 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x73000 | 0x10b8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x19970 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x198b0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x14000 | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x12580 | 0x12600 | ac9ad1c701e7d6a60f117a40bdfced55 | False | 0.6130420918367347 | COM executable for DOS | 6.652849199056284 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x14000 | 0x6cfc | 0x6e00 | 6ad4c3bbd048d271d2404b264ab0f6c2 | False | 0.4693536931818182 | data | 5.111738586022721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1b000 | 0x569cc | 0x56000 | 903254533ed0a6b682e735f437f72d50 | False | 0.9944528978924418 | data | 7.995099656093306 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x72000 | 0x1e0 | 0x200 | 1a74fae71ecce055ab8978394eed8aa8 | False | 0.52734375 | data | 4.704363013479242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x73000 | 0x10b8 | 0x1200 | f3f166dae9240d335b1dad3fad88f030 | False | 0.7322048611111112 | data | 6.307172215022896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.ball | 0x75000 | 0x2400 | 0x2400 | 406c6cd69e5c18b4f7e63b50165763c6 | False | 0.027452256944444444 | data | 0.26840349151112036 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ball | 0x78000 | 0x2400 | 0x2400 | 406c6cd69e5c18b4f7e63b50165763c6 | False | 0.027452256944444444 | data | 0.26840349151112036 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x72060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
KERNEL32.dll | GetSystemFileCacheSize, AddAtomA, VirtualQuery, VirtualQueryEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapSize, HeapReAlloc, CloseHandle, CreateFileW, DecodePointer |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-27T14:54:13.379336+0100 | 2056706 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (platformcati .sbs) | 1 | 192.168.2.7 | 61325 | 1.1.1.1 | 53 | UDP |
2025-01-27T14:54:13.879270+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:13.879270+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:14.198569+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:14.198569+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.356568+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.356568+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.863766+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:15.863766+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:16.739157+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49705 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:16.739157+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49705 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:40.121324+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49838 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:40.121324+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49838 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:41.576040+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49849 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:41.576040+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49849 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:43.214282+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:43.214282+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:45.046611+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:46.133395+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49871 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:46.133395+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49871 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:48.988318+0100 | 2056707 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) | 1 | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:48.988318+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
2025-01-27T14:54:49.797125+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | TCP |
- Total Packets: 103
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2025 14:54:13.401757002 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:13.401819944 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:13.401925087 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:13.404598951 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:13.404632092 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:13.879192114 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:13.879270077 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:13.912906885 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:13.912961960 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:13.913201094 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:13.955409050 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.076440096 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.076440096 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.076634884 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198585987 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198632956 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198667049 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198717117 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198754072 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.198798895 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198852062 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.198852062 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.198904037 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.220077991 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.220114946 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.220160961 CET | 49702 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.220175982 CET | 443 | 49702 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.881988049 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.882024050 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:14.882112026 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.883877039 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:14.883891106 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.356477022 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.356568098 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.358009100 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.358021021 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.358376980 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.360390902 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.360500097 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.360523939 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.863789082 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.863836050 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.863938093 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.863970995 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.864006042 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.864041090 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.864063025 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.864097118 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.864304066 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.867448092 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.868613005 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.868640900 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.868673086 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.868680954 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.868819952 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.952261925 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.952413082 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.952445984 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.952568054 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:15.952577114 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.952807903 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.952809095 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.953041077 CET | 49703 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:15.953059912 CET | 443 | 49703 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.266978979 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.267030001 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.267350912 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.267832041 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.267858982 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.738859892 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.739156961 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.741301060 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.741306067 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.741540909 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:16.743546009 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.743546009 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:16.743585110 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:39.467259884 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:39.467365026 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:39.467535973 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:39.467822075 CET | 49705 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:39.467840910 CET | 443 | 49705 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:39.632251024 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:39.632296085 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:39.632369995 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:39.632669926 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:39.632685900 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.121260881 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.121324062 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.125057936 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.125066042 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.125389099 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.134800911 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.134989977 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.135027885 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.135102034 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.135108948 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.893589973 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.893680096 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:40.893722057 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.893889904 CET | 49838 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:40.893907070 CET | 443 | 49838 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.072587013 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.072639942 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.072715044 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.073204041 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.073219061 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.575906038 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.576040030 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.577672005 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.577687979 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.577939034 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.579087019 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.579212904 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.579247952 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:41.579324007 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:41.579335928 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:42.362199068 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:42.362304926 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:42.362477064 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:42.374114037 CET | 49849 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:42.374146938 CET | 443 | 49849 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:42.723128080 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:42.723197937 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:42.723280907 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:42.723656893 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:42.723675013 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:43.214184046 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:43.214282036 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:43.215285063 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:43.215306997 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:43.216335058 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:43.220967054 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:43.221081018 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:43.221122980 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:45.046622992 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:45.046715021 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:45.046788931 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:45.047036886 CET | 49860 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:45.047053099 CET | 443 | 49860 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:45.513175964 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:45.513217926 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:45.513290882 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:45.513607979 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:45.513621092 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.133275032 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.133394957 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.134836912 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.134845018 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.135890007 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.156229973 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.157104969 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.157186031 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.157366991 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.157428026 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.158066988 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.158133984 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.158472061 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.158502102 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.158629894 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.158667088 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.159006119 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.159034967 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.159044981 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.159058094 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.159159899 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.159188032 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.159204960 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.159323931 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.159360886 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.167706013 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.167855024 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.167885065 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.167922974 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.167932987 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.168001890 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:46.168019056 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:46.168090105 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.473634958 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.473763943 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.474025011 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.474025011 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.492146969 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.492198944 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.492290020 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.492604971 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.492620945 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.783835888 CET | 49871 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.783869982 CET | 443 | 49871 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.988239050 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.988317966 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.989905119 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.989917994 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.990248919 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:48.991606951 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.991714954 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:48.991750002 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:49.797132969 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:49.797240019 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:49.797322035 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:49.797506094 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:49.797522068 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Jan 27, 2025 14:54:49.797535896 CET | 49892 | 443 | 192.168.2.7 | 104.21.112.1 |
Jan 27, 2025 14:54:49.797540903 CET | 443 | 49892 | 104.21.112.1 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2025 14:54:13.379336119 CET | 61325 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 27, 2025 14:54:13.391993046 CET | 53 | 61325 | 1.1.1.1 | 192.168.2.7 |
Jan 27, 2025 14:54:49.800844908 CET | 50527 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 27, 2025 14:54:49.811139107 CET | 53 | 50527 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 27, 2025 14:54:13.379336119 CET | 192.168.2.7 | 1.1.1.1 | 0xb39a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 27, 2025 14:54:49.800844908 CET | 192.168.2.7 | 1.1.1.1 | 0x9a5b | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:13.391993046 CET | 1.1.1.1 | 192.168.2.7 | 0xb39a | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
Jan 27, 2025 14:54:49.811139107 CET | 1.1.1.1 | 192.168.2.7 | 0x9a5b | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49702 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:14 UTC | 263 | OUT | |
2025-01-27 13:54:14 UTC | 8 | OUT | |
2025-01-27 13:54:14 UTC | 554 | IN | |
2025-01-27 13:54:14 UTC | 815 | IN | |
2025-01-27 13:54:14 UTC | 1369 | IN | |
2025-01-27 13:54:14 UTC | 1369 | IN | |
2025-01-27 13:54:14 UTC | 1003 | IN | |
2025-01-27 13:54:14 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49703 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:15 UTC | 353 | OUT | |
2025-01-27 13:54:15 UTC | 42 | OUT | |
2025-01-27 13:54:15 UTC | 1126 | IN | |
2025-01-27 13:54:15 UTC | 243 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN | |
2025-01-27 13:54:15 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.7 | 49705 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:16 UTC | 371 | OUT | |
2025-01-27 13:54:16 UTC | 12839 | OUT | |
2025-01-27 13:54:39 UTC | 1124 | IN | |
2025-01-27 13:54:39 UTC | 20 | IN | |
2025-01-27 13:54:39 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.7 | 49838 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:40 UTC | 371 | OUT | |
2025-01-27 13:54:40 UTC | 15071 | OUT | |
2025-01-27 13:54:40 UTC | 1129 | IN | |
2025-01-27 13:54:40 UTC | 20 | IN | |
2025-01-27 13:54:40 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.7 | 49849 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:41 UTC | 371 | OUT | |
2025-01-27 13:54:41 UTC | 15331 | OUT | |
2025-01-27 13:54:41 UTC | 5065 | OUT | |
2025-01-27 13:54:42 UTC | 1121 | IN | |
2025-01-27 13:54:42 UTC | 20 | IN | |
2025-01-27 13:54:42 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.7 | 49860 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:43 UTC | 370 | OUT | |
2025-01-27 13:54:43 UTC | 2451 | OUT | |
2025-01-27 13:54:45 UTC | 1127 | IN | |
2025-01-27 13:54:45 UTC | 20 | IN | |
2025-01-27 13:54:45 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.7 | 49871 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:46 UTC | 372 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:46 UTC | 15331 | OUT | |
2025-01-27 13:54:48 UTC | 1126 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.7 | 49892 | 104.21.112.1 | 443 | 7392 | C:\Users\user\Desktop\h226x41CQ6.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-27 13:54:48 UTC | 353 | OUT | |
2025-01-27 13:54:48 UTC | 77 | OUT | |
2025-01-27 13:54:49 UTC | 1118 | IN | |
2025-01-27 13:54:49 UTC | 142 | IN | |
2025-01-27 13:54:49 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 08:54:11 |
Start date: | 27/01/2025 |
Path: | C:\Users\user\Desktop\h226x41CQ6.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe70000 |
File size: | 491'048 bytes |
MD5 hash: | FC8506934F3F379AF5F36CDCCB0C17CA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 08:54:11 |
Start date: | 27/01/2025 |
Path: | C:\Users\user\Desktop\h226x41CQ6.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe70000 |
File size: | 491'048 bytes |
MD5 hash: | FC8506934F3F379AF5F36CDCCB0C17CA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 10 |
Start time: | 08:54:12 |
Start date: | 27/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5c0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |