Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample name:main.exe
Analysis ID:1634005
MD5:087340a168cee0b901154e924ab0066a
SHA1:4bf3bb2510fbf695c4bf5dc5bad273a1059c4ed1
SHA256:685a1c671eae3f59a4a73a2239b4fe53c1aaa0242038bb6ace23aa7634423018
Infos:

Detection

Xmrig
Score:68
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Joe Sandbox ML detected suspicious sample
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • main.exe (PID: 8384 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 087340A168CEE0B901154E924AB0066A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000000.00000002.2574313008.000000000336A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: main.exe PID: 8384JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        No Sigma rule has matched
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: main.exeAvira: detected
        Source: main.exeVirustotal: Detection: 62%Perma Link
        Source: main.exeReversingLabs: Detection: 26%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability

        Bitcoin Miner

        barindex
        Source: Yara matchFile source: 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2574313008.000000000336A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: main.exe PID: 8384, type: MEMORYSTR
        Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\main.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: main.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_hashlib.pdb source: main.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\select.pdb source: main.exe, 00000000.00000002.2575274761.000000001D112000.00000002.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\python34.pdb source: main.exe, 00000000.00000002.2575498585.000000001E13C000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573448733.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_bz2.pdb source: main.exe, 00000000.00000002.2575327946.000000001D17B000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1334824069.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1334843105.00000000032C5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_ssl.pdb source: main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_lzma.pdb source: main.exe, 00000000.00000003.1341830590.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1341830590.000000000342E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1341830590.000000000340E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574118063.0000000002C9B000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1343117396.000000000342E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_socket.pdb source: main.exe, 00000000.00000003.1335243352.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573812589.0000000001087000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1335264303.00000000032C7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\unicodedata.pdb source: main.exe, 00000000.00000003.1339292813.0000000003858000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338978089.00000000037BF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574938192.0000000003964000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033B8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: main.exe, 00000000.00000002.2575380562.000000001D1AF000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333755099.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333959411.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
        Source: Joe Sandbox ViewIP Address: 151.101.2.49 151.101.2.49
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /ca/cacert.pem HTTP/1.1Accept-Encoding: identityUser-Agent: Python-urllib/3.4Connection: closeHost: curl.haxx.se
        Source: global trafficDNS traffic detected: DNS query: curl.haxx.se
        Source: main.exe, 00000000.00000002.2574447787.00000000034C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/ca/cacert.pem
        Source: main.exe, 00000000.00000002.2574447787.00000000034C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/ca/cacert.peming
        Source: main.exe, 00000000.00000002.2574801989.0000000003830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
        Source: main.exe, 00000000.00000002.2574774712.00000000037F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python-requests.org
        Source: main.exe, 00000000.00000002.2574774712.00000000037F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python-requests.org_.py
        Source: main.exe, 00000000.00000002.2573448733.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://python.org/dev/peps/pep-0263/
        Source: main.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338145569.00000000037B0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: main.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338145569.00000000037B0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................
        Source: main.exe, 00000000.00000003.1332951199.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332918989.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573908337.00000000013D0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333185461.0000000003099000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
        Source: main.exe, 00000000.00000003.1332468447.0000000003038000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332468447.000000000302D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332212328.000000000309B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573908337.00000000013D0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332468447.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332232505.000000000302D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332856398.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332856398.000000000305A000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332232505.0000000003038000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332393654.000000000305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
        Source: main.exe, 00000000.00000003.1348835271.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574801989.0000000003830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/ca/cacert.pem
        Source: main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/ca/cacert.pemm
        Source: main.exe, 00000000.00000002.2574475208.0000000003500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/shazow/urllib3/issues/497
        Source: main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lapi-test.lostallods.me/
        Source: main.exe, 00000000.00000002.2574313008.000000000336A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lapi-test.lostallods.me/N)
        Source: main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lapi-test.lostallods.me/S
        Source: main.exe, 00000000.00000002.2574255025.0000000003240000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574475208.0000000003500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
        Source: main.exe, 00000000.00000002.2574610659.0000000003640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies
        Source: main.exe, 00000000.00000002.2574610659.0000000003640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxiesSS
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: main.exe, 00000000.00000002.2573448733.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepython34.dll. vs main.exe
        Source: main.exe, 00000000.00000002.2575646998.000000001E291000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython34.dll. vs main.exe
        Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: classification engineClassification label: mal68.mine.winEXE@1/0@1/1
        Source: C:\Users\user\Desktop\main.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: main.exeVirustotal: Detection: 62%
        Source: main.exeReversingLabs: Detection: 26%
        Source: C:\Users\user\Desktop\main.exeFile read: C:\Users\user\Desktop\main.exeJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\Desktop\main.exeSection loaded: srvcli.dllJump to behavior
        Source: main.exeStatic file information: File size 9991211 > 1048576
        Source: C:\Users\user\Desktop\main.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: main.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x11ce00
        Source: main.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_hashlib.pdb source: main.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\select.pdb source: main.exe, 00000000.00000002.2575274761.000000001D112000.00000002.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\python34.pdb source: main.exe, 00000000.00000002.2575498585.000000001E13C000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573448733.0000000000BC1000.00000040.00000001.01000000.00000003.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_bz2.pdb source: main.exe, 00000000.00000002.2575327946.000000001D17B000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1334824069.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1334843105.00000000032C5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_ssl.pdb source: main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_lzma.pdb source: main.exe, 00000000.00000003.1341830590.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1341830590.000000000342E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1341830590.000000000340E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574118063.0000000002C9B000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1343117396.000000000342E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_socket.pdb source: main.exe, 00000000.00000003.1335243352.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573812589.0000000001087000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1335264303.00000000032C7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\unicodedata.pdb source: main.exe, 00000000.00000003.1339292813.0000000003858000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338978089.00000000037BF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574938192.0000000003964000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338744463.00000000033B8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: main.exe, 00000000.00000002.2575380562.000000001D1AF000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333755099.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333959411.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: main.exe, 00000000.00000002.2573840441.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\main.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Software Packing
        OS Credential Dumping1
        Security Software Discovery
        Remote ServicesData from Local System2
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        DLL Side-Loading
        LSASS Memory1
        Process Discovery
        Remote Desktop ProtocolData from Removable Media2
        Non-Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information
        Security Account Manager2
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared Drive3
        Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
        Ingress Tool Transfer
        Traffic DuplicationData Destruction
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634005 Sample: main.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 68 9 dualstack.c.sni.global.fastly.net 2->9 11 curl.haxx.se 2->11 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected Xmrig cryptocurrency miner 2->19 21 Joe Sandbox ML detected suspicious sample 2->21 6 main.exe 2->6         started        signatures3 process4 dnsIp5 13 dualstack.c.sni.global.fastly.net 151.101.2.49, 443, 49708, 49709 FASTLYUS United States 6->13

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        main.exe62%VirustotalBrowse
        main.exe27%ReversingLabsWin32.Trojan.DisguisedXMRigMiner
        main.exe100%AviraHEUR/AGEN.1314659
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://lapi-test.lostallods.me/S0%Avira URL Cloudsafe
        https://lapi-test.lostallods.me/N)0%Avira URL Cloudsafe
        https://lapi-test.lostallods.me/0%Avira URL Cloudsafe
        https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxiesSS0%Avira URL Cloudsafe
        http://python-requests.org_.py0%Avira URL Cloudsafe
        https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies0%Avira URL Cloudsafe

        Download Network PCAP: filteredfull

        NameIPActiveMaliciousAntivirus DetectionReputation
        dualstack.c.sni.global.fastly.net
        151.101.2.49
        truefalse
          high
          curl.haxx.se
          unknown
          unknownfalse
            high
            NameSourceMaliciousAntivirus DetectionReputation
            https://lapi-test.lostallods.me/Smain.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://python.org/dev/peps/pep-0263/main.exe, 00000000.00000002.2573448733.0000000000BC1000.00000040.00000001.01000000.00000003.sdmpfalse
              high
              https://lapi-test.lostallods.me/N)main.exe, 00000000.00000002.2574313008.000000000336A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.openssl.org/support/faq.html....................main.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338145569.00000000037B0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warningsmain.exe, 00000000.00000002.2574255025.0000000003240000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574475208.0000000003500000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  http://python-requests.org_.pymain.exe, 00000000.00000002.2574774712.00000000037F0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxiesmain.exe, 00000000.00000002.2574610659.0000000003640000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://curl.haxx.se/ca/cacert.pemmain.exe, 00000000.00000002.2574447787.00000000034C0000.00000004.00001000.00020000.00000000.sdmpfalse
                    high
                    https://curl.haxx.se/ca/cacert.pemmain.exe, 00000000.00000003.1348835271.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574801989.0000000003830000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      https://curl.haxx.se/ca/cacert.pemmmain.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        http://curl.haxx.se/rfc/cookie_spec.htmlmain.exe, 00000000.00000002.2574801989.0000000003830000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          http://www.python.org/dev/peps/pep-0205/main.exe, 00000000.00000003.1332951199.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332918989.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573908337.00000000013D0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1333185461.0000000003099000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://lapi-test.lostallods.me/main.exe, 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://curl.haxx.se/ca/cacert.pemingmain.exe, 00000000.00000002.2574447787.00000000034C0000.00000004.00001000.00020000.00000000.sdmpfalse
                              high
                              http://www.python.org/download/releases/2.3/mro/.main.exe, 00000000.00000003.1332468447.0000000003038000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332468447.000000000302D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332212328.000000000309B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2573908337.00000000013D0000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332468447.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332232505.000000000302D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332856398.0000000003099000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332856398.000000000305A000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332232505.0000000003038000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.1332393654.000000000305A000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://github.com/shazow/urllib3/issues/497main.exe, 00000000.00000002.2574475208.0000000003500000.00000004.00001000.00020000.00000000.sdmpfalse
                                  high
                                  http://python-requests.orgmain.exe, 00000000.00000002.2574774712.00000000037F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    high
                                    https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxiesSSmain.exe, 00000000.00000002.2574610659.0000000003640000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.openssl.org/support/faq.htmlmain.exe, 00000000.00000003.1336636577.000000000369E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2574707564.0000000003756000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338145569.00000000037B0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.2575210716.0000000010089000.00000002.00001000.00020000.00000000.sdmp, main.exe, 00000000.00000003.1338364600.00000000038C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      151.101.2.49
                                      dualstack.c.sni.global.fastly.netUnited States
                                      54113FASTLYUSfalse
                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1634005
                                      Start date and time:2025-03-10 17:45:18 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 30s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:7
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:main.exe
                                      Detection:MAL
                                      Classification:mal68.mine.winEXE@1/0@1/1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, g.bing.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      No simulations
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      151.101.2.49http://pqpqpyj.sbs/av/avr08/index.php?lpkey=174043cdcee2702426549f3edfdcca41a099969599&trkd=omokeh.org&lpkey1=cuun8cujn1oc7393lv6g&language=de&scanid=cuun8cujn1oc7393lv6g&ip=147.161.235.77&t1=133&t2=%7Bt1%7D&t3=%7Bt2%7D&t4=49&t5=174123395189&dm=1&pbid=4598&uid=Tev3Ewws7LqtzrNjCqkamFhqO8Mhj2&t10=4833Get hashmaliciousUnknownBrowse
                                        http://xn--ftbollibre-ndb.suGet hashmaliciousUnknownBrowse
                                          http://rbitzer.comGet hashmaliciousUnknownBrowse
                                            http://pixcams.comGet hashmaliciousUnknownBrowse
                                              http://auth.stubli.comGet hashmaliciousUnknownBrowse
                                                Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                  https://attservero.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                    https://reprogrammer.livraison.3-75-178-102.cprapid.com/dpd/update.phpGet hashmaliciousUnknownBrowse
                                                      https://junoupdatesecurity.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                        https://www.theintentionaliep.com/product/digital-special-education/Get hashmaliciousUnknownBrowse
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          FASTLYUShttps://dc1.convertc.com/event/v1/80401460/82362114/recentpurc/208463838.0153674575/6/cV9sU2Hc/B751BVZb/X.wgBlUMmEtoL7lLreHRS.dIbQhLbIKHVgjj1IvzEh_5AuOYVcDstYG0DCzEP9XO2LU-/click?url=https://gamma.app/docs/Sayer-Regan-Thayer-LLP-siiq7nvr7y2s7k4?mode=present#card-um3vy81gbcrpf02Get hashmaliciousUnknownBrowse
                                                          • 151.101.2.217
                                                          FW 188355..msgGet hashmaliciousHTMLPhisherBrowse
                                                          • 199.232.214.172
                                                          Ontbrekende urenstaat.htmlGet hashmaliciousUnknownBrowse
                                                          • 151.101.1.229
                                                          https://publizr.com/alliedcon/allied-constructionGet hashmaliciousGabagoolBrowse
                                                          • 151.101.1.229
                                                          https://publizr.com/alliedcon/allied-constructionGet hashmaliciousGabagoolBrowse
                                                          • 151.101.2.137
                                                          https://github.com/fenwikk/rickroll/raw/main/roll.p1Get hashmaliciousUnknownBrowse
                                                          • 185.199.109.133
                                                          RECHNUNG_Lieferschein_001927.htmGet hashmaliciousUnknownBrowse
                                                          • 151.101.194.137
                                                          http://raretoonsindia.coGet hashmaliciousUnknownBrowse
                                                          • 199.232.192.193
                                                          https://kwikkopyegypt.com/wp-admin/mail.verify/interface.root/login.php/inbox.html#jake.totam@southwark.anglican.orgGet hashmaliciousHTMLPhisherBrowse
                                                          • 151.101.130.137
                                                          https://kwikkopyegypt.com/wp-admin/mail.verify/interface.root/login.php/inbox.html#luke.tatam@southwark.anglican.orgGet hashmaliciousHTMLPhisherBrowse
                                                          • 151.101.130.137
                                                          No context
                                                          No context
                                                          No created / dropped files found
                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                          Entropy (8bit):7.998434681660803
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.66%
                                                          • UPX compressed Win32 Executable (30571/9) 0.30%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:main.exe
                                                          File size:9'991'211 bytes
                                                          MD5:087340a168cee0b901154e924ab0066a
                                                          SHA1:4bf3bb2510fbf695c4bf5dc5bad273a1059c4ed1
                                                          SHA256:685a1c671eae3f59a4a73a2239b4fe53c1aaa0242038bb6ace23aa7634423018
                                                          SHA512:4411b96cb39085aadbb4387cbc4b6c59ad67c2fdb6b93368ff1de2edb54b65d93197a1be6e6286452d12d4e5dda7e00797d9eb5e82ee8041273517bd7eafdfd5
                                                          SSDEEP:196608:PYCbGn17upv2hYiEKkqflPbMQQQz9bjtOOyGl60XtANGj81OjWadjRef0MU:PYN7iCYJqdMQ7k5WtAs81OjWaTef0MU
                                                          TLSH:BCA633A481FE4139F377E3B14957CE8A52C4433E125FD12A6F1143E598FF2E86B9062A
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}....H...H...H.i.H...H.i.H...H.i.H...H...H...H...H...H.i.H...H.i.H...H.i.H...H.i.H...HRich...H................PE..L...QzFT...
                                                          Icon Hash:90cececece8e8eb0
                                                          Entrypoint:0x6a69e0
                                                          Entrypoint Section:UPX1
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x54467A51 [Tue Oct 21 15:22:57 2014 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:49340a9d9aeedc9a43057c7d7201cff0
                                                          Instruction
                                                          pushad
                                                          mov esi, 0058A000h
                                                          lea edi, dword ptr [esi-00189000h]
                                                          push edi
                                                          jmp 00007F6404F0B06Dh
                                                          nop
                                                          mov al, byte ptr [esi]
                                                          inc esi
                                                          mov byte ptr [edi], al
                                                          inc edi
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          jc 00007F6404F0B04Fh
                                                          mov eax, 00000001h
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          adc eax, eax
                                                          add ebx, ebx
                                                          jnc 00007F6404F0B06Dh
                                                          jne 00007F6404F0B08Ah
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          jc 00007F6404F0B081h
                                                          dec eax
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          adc eax, eax
                                                          jmp 00007F6404F0B036h
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          adc ecx, ecx
                                                          jmp 00007F6404F0B0B4h
                                                          xor ecx, ecx
                                                          sub eax, 03h
                                                          jc 00007F6404F0B073h
                                                          shl eax, 08h
                                                          mov al, byte ptr [esi]
                                                          inc esi
                                                          xor eax, FFFFFFFFh
                                                          je 00007F6404F0B0D7h
                                                          sar eax, 1
                                                          mov ebp, eax
                                                          jmp 00007F6404F0B06Dh
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          jc 00007F6404F0B02Eh
                                                          inc ecx
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          jc 00007F6404F0B020h
                                                          add ebx, ebx
                                                          jne 00007F6404F0B069h
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          adc ecx, ecx
                                                          add ebx, ebx
                                                          jnc 00007F6404F0B051h
                                                          jne 00007F6404F0B06Bh
                                                          mov ebx, dword ptr [esi]
                                                          sub esi, FFFFFFFCh
                                                          adc ebx, ebx
                                                          jnc 00007F6404F0B046h
                                                          add ecx, 02h
                                                          cmp ebp, FFFFFB00h
                                                          adc ecx, 02h
                                                          lea edx, dword ptr [edi+ebp]
                                                          cmp ebp, FFFFFFFCh
                                                          jbe 00007F6404F0B070h
                                                          mov al, byte ptr [edx]
                                                          Programming Language:
                                                          • [IMP] VS2010 SP1 build 40219
                                                          • [ASM] VS2010 SP1 build 40219
                                                          • [C++] VS2010 SP1 build 40219
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ C ] VS2010 SP1 build 40219
                                                          • [EXP] VS2010 SP1 build 40219
                                                          • [RES] VS2010 SP1 build 40219
                                                          • [LNK] VS2010 SP1 build 40219
                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x4a600x54cUPX0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2a70d40x124.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a70000xd4.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a71f80x10.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a6bbc0x48UPX1
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          UPX00x10000x1890000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          UPX10x18a0000x11d0000x11ce008a6731f7c2052b892ad41956a6f24db6False0.9856185210070206data7.953761973137751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x2a70000x10000x400d3c3a49a0ee05a67b3ba9e4e63c0866dFalse0.2900390625Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4, imaginary2.25128560659012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          PYTHON34.DLL0x70d40x29b400empty0
                                                          PYTHONSCRIPT0x2a24d40x124adata0.9920973942759505
                                                          DLLImport
                                                          KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                          MSVCR100.dllexit
                                                          SHELL32.dllCommandLineToArgvW
                                                          USER32.dllGetFocus

                                                          Download Network PCAP: filteredfull

                                                          • Total Packets: 9
                                                          • 443 (HTTPS)
                                                          • 80 (HTTP)
                                                          • 53 (DNS)
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 10, 2025 17:46:15.857577085 CET4970880192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:15.862633944 CET8049708151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:15.863986969 CET4970880192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:15.864088058 CET4970880192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:15.869087934 CET8049708151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:16.353230953 CET8049708151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:16.353414059 CET8049708151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:16.353482962 CET4970880192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:16.357072115 CET4970880192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:16.362246037 CET8049708151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:17.003238916 CET49709443192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:17.003324032 CET44349709151.101.2.49192.168.2.5
                                                          Mar 10, 2025 17:46:17.003437996 CET49709443192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:17.003882885 CET49709443192.168.2.5151.101.2.49
                                                          Mar 10, 2025 17:46:17.003909111 CET44349709151.101.2.49192.168.2.5
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 10, 2025 17:46:15.836735010 CET5640353192.168.2.51.1.1.1
                                                          Mar 10, 2025 17:46:15.846478939 CET53564031.1.1.1192.168.2.5
                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Mar 10, 2025 17:46:15.836735010 CET192.168.2.51.1.1.10x5cecStandard query (0)curl.haxx.seA (IP address)IN (0x0001)false
                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Mar 10, 2025 17:46:15.846478939 CET1.1.1.1192.168.2.50x5cecNo error (0)curl.haxx.sedualstack.c.sni.global.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                          Mar 10, 2025 17:46:15.846478939 CET1.1.1.1192.168.2.50x5cecNo error (0)dualstack.c.sni.global.fastly.net151.101.2.49A (IP address)IN (0x0001)false
                                                          Mar 10, 2025 17:46:15.846478939 CET1.1.1.1192.168.2.50x5cecNo error (0)dualstack.c.sni.global.fastly.net151.101.66.49A (IP address)IN (0x0001)false
                                                          Mar 10, 2025 17:46:15.846478939 CET1.1.1.1192.168.2.50x5cecNo error (0)dualstack.c.sni.global.fastly.net151.101.130.49A (IP address)IN (0x0001)false
                                                          Mar 10, 2025 17:46:15.846478939 CET1.1.1.1192.168.2.50x5cecNo error (0)dualstack.c.sni.global.fastly.net151.101.194.49A (IP address)IN (0x0001)false
                                                          • curl.haxx.se
                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549708151.101.2.49808384C:\Users\user\Desktop\main.exe
                                                          TimestampBytes transferredDirectionData
                                                          Mar 10, 2025 17:46:15.864088058 CET128OUTGET /ca/cacert.pem HTTP/1.1
                                                          Accept-Encoding: identity
                                                          User-Agent: Python-urllib/3.4
                                                          Connection: close
                                                          Host: curl.haxx.se
                                                          Mar 10, 2025 17:46:16.353230953 CET409INHTTP/1.1 301 Moved Permanently
                                                          Connection: close
                                                          Content-Length: 0
                                                          Server: Varnish
                                                          Retry-After: 0
                                                          Location: https://curl.haxx.se/ca/cacert.pem
                                                          Accept-Ranges: bytes
                                                          Date: Mon, 10 Mar 2025 16:46:16 GMT
                                                          Via: 1.1 varnish
                                                          X-Served-By: cache-ewr-kewr1740054-EWR
                                                          X-Cache: HIT
                                                          X-Cache-Hits: 0
                                                          X-Timer: S1741625176.298312,VS0,VE0
                                                          alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400


                                                          050100s020406080100

                                                          Click to jump to process

                                                          050100s0.005101520MB

                                                          Click to jump to process

                                                          • File
                                                          • Registry
                                                          • Network

                                                          Click to dive into process behavior distribution

                                                          Target ID:0
                                                          Start time:12:46:13
                                                          Start date:10/03/2025
                                                          Path:C:\Users\user\Desktop\main.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\main.exe"
                                                          Imagebase:0xbc0000
                                                          File size:9'991'211 bytes
                                                          MD5 hash:087340A168CEE0B901154E924AB0066A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.2574859343.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.2574313008.000000000336A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          No disassembly