Create Interactive Tour
Windows
Analysis Report
SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe |
| Analysis ID: | 1632699 |
| MD5: | f9fe873316a74e0d1c93357a904e133f |
| SHA1: | d8a4387af178c7d9b4710c433d6d5c37b89c3d01 |
| SHA256: | b6cbf3bb81c4b91c2aa4552b4767106b9e9510e9e0cc21053913849882609e0c |
| Tags: | exeuser-SecuriteInfoCom |
| Infos: |  |
 | |
Detection
Poverty Stealer
| Score: | 72 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Poverty Stealer
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe (PID: 8300 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Variant.Fr agtor.5191 43.19980.2 1167.exe" MD5: F9FE873316A74E0D1C93357A904E133F)
- cleanup
{
"C2 url": "185.244.212.106:2227"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0031F791 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_003042E0 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00302880 | |
| Source: | Code function: | 0_2_003059A0 | |
| Source: | Code function: | 0_2_003042E0 | |
| Source: | Code function: | 0_2_0032A019 | |
| Source: | Code function: | 0_2_00323162 | |
| Source: | Code function: | 0_2_003219E4 | |
| Source: | Code function: | 0_2_0030D2A1 | |
| Source: | Code function: | 0_2_0030E3D0 | |
| Source: | Code function: | 0_2_00315C20 | |
| Source: | Code function: | 0_2_003024D0 | |
| Source: | Code function: | 0_2_0031B4CF | |
| Source: | Code function: | 0_2_0030A760 | |
| Source: | Code function: | 0_2_00327F60 | |
| Source: | Code function: | 0_2_00312F5E | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003059A0 | |
| Source: | Command line argument: | 0_2_003271A0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_003059A0 | |
| Source: | Code function: | 0_2_0030B123 | |
| Source: | Code function: | 0_2_0030D5E1 | |
| Source: | Code function: | 0_2_0031F791 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_003115E3 | |
| Source: | Code function: | 0_2_003059A0 | |
| Source: | Code function: | 0_2_003024D0 | |
| Source: | Code function: | 0_2_0032037D | |
| Source: | Code function: | 0_2_0030D905 | |
| Source: | Code function: | 0_2_0030DB13 | |
| Source: | Code function: | 0_2_003115E3 | |
| Source: | Code function: | 0_2_0030D779 | |
| Source: | Code function: | 0_2_003228A3 | |
| Source: | Code function: | 0_2_0031A9E0 | |
| Source: | Code function: | 0_2_003221DA | |
| Source: | Code function: | 0_2_00322225 | |
| Source: | Code function: | 0_2_003222C0 | |
| Source: | Code function: | 0_2_0032234B | |
| Source: | Code function: | 0_2_0032259E | |
| Source: | Code function: | 0_2_0031AE90 | |
| Source: | Code function: | 0_2_003226C7 | |
| Source: | Code function: | 0_2_00321F2E | |
| Source: | Code function: | 0_2_003227CD | |
| Source: | Code function: | 0_2_003138B9 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Obfuscated Files or Information | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 29% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bitbucket.org | 185.166.143.48 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.166.143.48 | bitbucket.org | Germany | 16509 | AMAZON-02US | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1632699 |
| Start date and time: | 2025-03-08 23:23:19 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 17s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe |
| Detection: | MAL |
| Classification: | mal72.troj.winEXE@2/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.166.143.48 | Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bitbucket.org | Get hash | malicious | ScreenConnect Tool | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | GCleaner, LummaC Stealer, Socks5Systemz | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AMAZON-02US | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Vidar | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | DarkCloud | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.578552636544814 |
| TrID: |
|
| File name: | SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe |
| File size: | 263'168 bytes |
| MD5: | f9fe873316a74e0d1c93357a904e133f |
| SHA1: | d8a4387af178c7d9b4710c433d6d5c37b89c3d01 |
| SHA256: | b6cbf3bb81c4b91c2aa4552b4767106b9e9510e9e0cc21053913849882609e0c |
| SHA512: | f2b7ee2311896b27dc7bb86e8053130cbd903b3d1c0ef4c0788d46dfb9facc5757e21f611bcada16dc9bef567509e810b01c1ae79002aced8942dd04ba8fae80 |
| SSDEEP: | 6144:cqvwbHMtaRWwVa2+B1fUaio83mMXSrlGhAOZpEBv:cqvwbPWwU2+XHkxhlEB |
| TLSH: | 2D448F01B5D1C872D972057158B4ABB95A3EB9200F7099FB53D41F3ECE706C0AB73A6A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+...+...+...`.......`.......`...1...:K..=...:K..9...:K..d...`.......+...O....K..)....K..*...Rich+...........PE..L....M.g... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x40d289 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67CB4DAD [Fri Mar 7 19:49:01 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | db3aeeba15dbf2707fad3ba5becf2830 |
| Instruction |
|---|
| call 00007FF915233149h |
| jmp 00007FF91523284Fh |
| cmp ecx, dword ptr [0043F040h] |
| jne 00007FF9152329D3h |
| ret |
| jmp 00007FF91523326Fh |
| push ebp |
| mov ebp, esp |
| and dword ptr [0044033Ch], 00000000h |
| sub esp, 28h |
| or dword ptr [0043F018h], 01h |
| push 0000000Ah |
| call dword ptr [0042C058h] |
| test eax, eax |
| je 00007FF915232CDBh |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| lea edi, dword ptr [ebp-28h] |
| xor ecx, ecx |
| push ebx |
| cpuid |
| mov esi, ebx |
| pop ebx |
| nop |
| mov dword ptr [edi], eax |
| mov dword ptr [edi+04h], esi |
| mov dword ptr [edi+08h], ecx |
| xor ecx, ecx |
| mov dword ptr [edi+0Ch], edx |
| mov eax, dword ptr [ebp-28h] |
| mov edi, dword ptr [ebp-24h] |
| mov dword ptr [ebp-04h], eax |
| xor edi, 756E6547h |
| mov eax, dword ptr [ebp-1Ch] |
| xor eax, 49656E69h |
| mov dword ptr [ebp-18h], eax |
| mov eax, dword ptr [ebp-20h] |
| xor eax, 6C65746Eh |
| mov dword ptr [ebp-14h], eax |
| xor eax, eax |
| inc eax |
| push ebx |
| cpuid |
| mov esi, ebx |
| pop ebx |
| nop |
| lea ebx, dword ptr [ebp-28h] |
| mov dword ptr [ebx], eax |
| mov eax, dword ptr [ebp-18h] |
| or eax, dword ptr [ebp-14h] |
| or eax, edi |
| mov dword ptr [ebx+04h], esi |
| mov dword ptr [ebx+08h], ecx |
| mov dword ptr [ebx+0Ch], edx |
| jne 00007FF915232A0Bh |
| mov eax, dword ptr [ebp-28h] |
| and eax, 0FFF3FF0h |
| cmp eax, 000106C0h |
| je 00007FF9152329F5h |
| cmp eax, 00020660h |
| je 00007FF9152329EEh |
| cmp eax, 00020670h |
| je 00007FF9152329E7h |
| cmp eax, 00030650h |
| je 00007FF9152329E0h |
| cmp eax, 00000660h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3da50 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x41000 | 0x21f0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3b190 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3b200 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3b0d0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2c000 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a871 | 0x2aa00 | 5d92a4c0393a8d49e1de7f6b64ebe6ab | False | 0.5427339167888563 | data | 6.657676969668933 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2c000 | 0x12176 | 0x12200 | f434dfe0511959e8280c5a216e08dd8c | False | 0.4938981681034483 | data | 5.625546128839358 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3f000 | 0x1f58 | 0x1200 | ec2b0f8bccfefd6305027b3795d46b1a | False | 0.1937934027777778 | DOS executable (block device driver \377\377\377\377) | 3.127900718317494 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x41000 | 0x21f0 | 0x2200 | 506afc22f15df7ff611ca73eb0f3cce4 | False | 0.7635569852941176 | data | 6.598006424266324 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetCurrentProcess, GetModuleHandleA, Sleep, LoadLibraryA, CloseHandle, GetProcAddress, FreeLibrary, GetTickCount, CreateFileW, HeapSize, SetStdHandle, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, WriteConsoleW |
| USER32.dll | MessageBoxW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 19
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 8, 2025 23:24:24.454685926 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:24.454740047 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:24.454830885 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:24.465926886 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:24.465941906 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:26.188783884 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:26.188889027 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:26.541248083 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:26.541285992 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:26.541790009 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:26.541847944 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:26.544790983 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:26.588331938 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.183301926 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.183343887 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.183353901 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.183403969 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.183425903 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.183458090 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.183495998 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.258419037 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.258474112 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.258546114 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.258558035 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.258717060 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.258717060 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.258728981 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.258785009 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.284504890 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.284575939 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.284693003 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Mar 8, 2025 23:24:27.284715891 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.284715891 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.284753084 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.284990072 CET | 49707 | 443 | 192.168.2.5 | 185.166.143.48 |
| Mar 8, 2025 23:24:27.285011053 CET | 443 | 49707 | 185.166.143.48 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 8, 2025 23:24:24.439620018 CET | 61767 | 53 | 192.168.2.5 | 1.1.1.1 |
| Mar 8, 2025 23:24:24.447052956 CET | 53 | 61767 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 8, 2025 23:24:24.439620018 CET | 192.168.2.5 | 1.1.1.1 | 0xc33f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 8, 2025 23:24:24.447052956 CET | 1.1.1.1 | 192.168.2.5 | 0xc33f | No error (0) | 185.166.143.48 | A (IP address) | IN (0x0001) | false | ||
| Mar 8, 2025 23:24:24.447052956 CET | 1.1.1.1 | 192.168.2.5 | 0xc33f | No error (0) | 185.166.143.49 | A (IP address) | IN (0x0001) | false | ||
| Mar 8, 2025 23:24:24.447052956 CET | 1.1.1.1 | 192.168.2.5 | 0xc33f | No error (0) | 185.166.143.50 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49707 | 185.166.143.48 | 443 | 8300 | C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-08 22:24:26 UTC | 164 | OUT | |
| 2025-03-08 22:24:27 UTC | 5107 | IN |