Windows
Analysis Report
WINNERIUM BETA.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
WINNERIUM BETA.exe (PID: 7836 cmdline:
"C:\Users\ user\Deskt op\WINNERI UM BETA.ex e" MD5: 1EA7701D7A2E8C0F3A7A50F0747C70F5) conhost.exe (PID: 7844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtOpenFile: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtUnmapViewOfSection: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtMapViewOfSection: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | 1 Credential API Hooking | 1 Security Software Discovery | Remote Services | 1 Credential API Hooking | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 1 Process Injection | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Win64.Trojan.Generic | ||
43% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ecl1pse.fun | 45.130.41.132 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.130.41.132 | ecl1pse.fun | Russian Federation | 198610 | BEGET-ASRU | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1670618 |
Start date and time: | 2025-04-21 23:59:16 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | WINNERIUM BETA.exe |
Detection: | MAL |
Classification: | mal60.evad.winEXE@2/2@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, S IHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 172 .202.163.200 - Excluded domains from analysis
(whitelisted): a-ring-fallbac k.msedge.net, fs.microsoft.com , slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki .goog, fe3cr.delivery.mp.micro soft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
BEGET-ASRU | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Cobalt Strike, FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LodaRAT | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
|
Process: | C:\Users\user\Desktop\WINNERIUM BETA.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27 |
Entropy (8bit): | 3.7323082253324764 |
Encrypted: | false |
SSDEEP: | 3:qiVmwn:qOh |
MD5: | 6C313963396AFBD6AC073CB39BE0ED90 |
SHA1: | C1E57E22C2136EBDC192A285003C9E84979773E8 |
SHA-256: | CE002658B1E928176E05653E4B5431C2543747955FE241FB39D16B8F463CBC20 |
SHA-512: | 0EE658C6D1100C30D3E034CADC64BAF604F902D023CA6DFE3A5AD5910B52EFC4D0E043226C918B1B96A4F0F0D7878BCA7B4D7811939ED1C09C86BEABF6D6307C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\WINNERIUM BETA.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44 |
Entropy (8bit): | 4.252172175938121 |
Encrypted: | false |
SSDEEP: | 3:34FqAHMmmw2IjXy:rm3jXy |
MD5: | C7DC28AA9EBA63A87749420DE2327FBD |
SHA1: | A4E64D6C948B01067A2BBF768F6DC449546013EE |
SHA-256: | 5B5D2F98CDB2015548DD301B291983A0959AC6D98D0CAC4A70D663D8775354C8 |
SHA-512: | 8A280CD15408CBC2039A9E955058A289C4C82533488EF86B7D8155F316E4540ABD21D80AC9AEED17E44F69124DE9CD07A1D21E0D87D5C9E7F69B34A49A617F62 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.893545785652754 |
TrID: |
|
File name: | WINNERIUM BETA.exe |
File size: | 16'737'792 bytes |
MD5: | 1ea7701d7a2e8c0f3a7a50f0747c70f5 |
SHA1: | 9507198adb87b6ca820077bbeb2e61605096af9e |
SHA256: | d9fb39ba6319a26fda70992c1d423b1d124179c2986e4a39d28e05ccafa1f7f0 |
SHA512: | 1038b2e6d8f7ad69ae1988c8898cb74c8e115a8ed7a371f1f897c1a1928a3dbf344500a8bd0c60b27a9e2ae226aeea3cc8f59f397aab1fdfa046339108f3ace8 |
SSDEEP: | 393216:5wmzURm3Tf9nGd0UiFMAE3xCNwOCFMRrIQhk2O9c6mvHo:5kaz9ADeuxMwOZrlWbA |
TLSH: | 10F623C2BEC5D6A4C1E64E101DC6639F219573DE81BFCF0E39CD9C032A81E658D1A7A6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...D..h.........."....+.....8#......S(........@..........................................`................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x1412853d6 |
Entrypoint Section: | .p~s |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6804EB44 [Sun Apr 20 12:40:36 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 2e78d66089bd48eef856d1bd3f778216 |
Instruction |
---|
inc ecx |
push esi |
dec ecx |
mov esi, 69859933h |
mov bh, 33h |
mov esi, 45669CA0h |
xor esi, esi |
push ebp |
inc ecx |
xor esi, 49B4BE93h |
inc ecx |
bswap esi |
inc cx |
not esi |
dec esp |
mov esi, dword ptr [esp+10h] |
dec eax |
mov dword ptr [esp+10h], 70F43433h |
push dword ptr [esp+08h] |
popfd |
dec eax |
lea esp, dword ptr [esp+10h] |
call 00007FCD2529F0E2h |
jnbe 00007FCD24B9A20Bh |
xlatb |
inc edx |
pushfd |
mov al, 7Ah |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b20b8 | 0x154 | .p~s |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1aed000 | 0x1d5 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1ae7f50 | 0x3180 | .p~s |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1aec000 | 0x110 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xb47b68 | 0x28 | .p~s |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1ae7e10 | 0x140 | .p~s |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xaf5000 | 0x128 | .?=& |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xef1c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x10000 | 0x7560 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x18000 | 0x22b340 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x244000 | 0x810 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
."m> | 0x245000 | 0x8afbd6 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.?=& | 0xaf5000 | 0xae8 | 0xc00 | 10c32a6ad012dde088ce8acafe895963 | False | 0.0439453125 | data | 0.3111563766553659 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.p~s | 0xaf6000 | 0xff50d0 | 0xff5200 | cce7c2a62422169da4ce04e4dc2b7122 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x1aec000 | 0x110 | 0x200 | 5508fdf9bb34c5c418ff7eac76011fe5 | False | 0.40625 | GLS_BINARY_LSB_FIRST | 2.740906682745257 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x1aed000 | 0x1d5 | 0x200 | 5b803853f247ccae867276e1e76eb76a | False | 0.53125 | data | 4.726212239845141 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x1aed058 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
KERNEL32.dll | SetConsoleTextAttribute |
ADVAPI32.dll | GetTokenInformation |
SHELL32.dll | ShellExecuteExW |
MSVCP140.dll | ?good@ios_base@std@@QEBA_NXZ |
WININET.dll | InternetCloseHandle |
ntdll.dll | RtlVirtualUnwind |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | __current_exception_context |
api-ms-win-crt-runtime-l1-1-0.dll | _configure_narrow_argv |
api-ms-win-crt-string-l1-1-0.dll | _wcsicmp |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf_s |
api-ms-win-crt-heap-l1-1-0.dll | _set_new_mode |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
KERNEL32.dll | GetSystemTimeAsFileTime |
KERNEL32.dll | HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
- Total Packets: 12
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 22, 2025 00:00:19.799999952 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:19.800033092 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:19.800143003 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:19.822031975 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:19.822051048 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:20.468321085 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:20.468584061 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.009747028 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.009782076 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.010145903 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.010198116 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.017786980 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.064271927 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.335344076 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.335398912 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.335413933 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.335423946 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Apr 22, 2025 00:00:21.335454941 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.335472107 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.340208054 CEST | 49713 | 443 | 192.168.2.4 | 45.130.41.132 |
Apr 22, 2025 00:00:21.340226889 CEST | 443 | 49713 | 45.130.41.132 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 22, 2025 00:00:19.261337042 CEST | 59586 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 22, 2025 00:00:19.778361082 CEST | 53 | 59586 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 22, 2025 00:00:19.261337042 CEST | 192.168.2.4 | 1.1.1.1 | 0x51d3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 22, 2025 00:00:19.778361082 CEST | 1.1.1.1 | 192.168.2.4 | 0x51d3 | No error (0) | 45.130.41.132 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49713 | 45.130.41.132 | 443 | 7836 | C:\Users\user\Desktop\WINNERIUM BETA.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-04-21 22:00:21 UTC | 98 | OUT | |
2025-04-21 22:00:21 UTC | 313 | IN | |
2025-04-21 22:00:21 UTC | 27 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 18:00:14 |
Start date: | 21/04/2025 |
Path: | C:\Users\user\Desktop\WINNERIUM BETA.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff636a30000 |
File size: | 16'737'792 bytes |
MD5 hash: | 1EA7701D7A2E8C0F3A7A50F0747C70F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 18:00:15 |
Start date: | 21/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62fc20000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |