Windows
Analysis Report
Aew8SXjXEb.exe
Overview
General Information
Sample name: | Aew8SXjXEb.exerenamed because original name is a hash value |
Original sample name: | c89c82ab6576a83a2a32bbffe44ef4d7.exe |
Analysis ID: | 1528328 |
MD5: | c89c82ab6576a83a2a32bbffe44ef4d7 |
SHA1: | 7a1db4e5bcdbcfa1fcd8591d2e3ee8708ab41a02 |
SHA256: | 11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Aew8SXjXEb.exe (PID: 6032 cmdline:
"C:\Users\ user\Deskt op\Aew8SXj XEb.exe" MD5: C89C82AB6576A83A2A32BBFFE44EF4D7) - MSBuild.exe (PID: 2332 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - WerFault.exe (PID: 1888 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 032 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_Stealc | Yara detected Stealc | Joe Security |
System Summary |
---|
Source: | Author: Kiran kumar s, oscd.community: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-07T19:33:15.882048+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49707 | 62.204.41.150 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00639ABF |
Networking |
---|
Source: | Suricata IDS: |
Source: | URLs: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 1_2_00406280 |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Code function: | 0_2_00622021 | |
Source: | Code function: | 0_2_0062729C | |
Source: | Code function: | 0_2_0063D39B | |
Source: | Code function: | 0_2_0063572C | |
Source: | Code function: | 0_2_0067094F | |
Source: | Code function: | 0_2_0062CAF2 | |
Source: | Code function: | 0_2_0063BB36 | |
Source: | Code function: | 0_2_00633C92 | |
Source: | Code function: | 0_2_00621D79 | |
Source: | Code function: | 0_2_0062FEF0 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 1_2_0041C03D |
Source: | Code function: | 0_2_006271C0 | |
Source: | Code function: | 0_2_00667F20 | |
Source: | Code function: | 1_2_0041B048 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Code function: | 0_2_00639ABF |
Source: | Code function: | 1_2_00401160 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00627922 |
Source: | Code function: | 1_2_004045C0 |
Source: | Code function: | 1_2_0041C03D |
Source: | Code function: | 0_2_00622003 | |
Source: | Code function: | 0_2_0063A64C | |
Source: | Code function: | 0_2_00666628 | |
Source: | Code function: | 0_2_00630F2E | |
Source: | Code function: | 1_2_00419750 |
Source: | Code function: | 0_2_0063CC4B |
Source: | Code function: | 0_2_00627610 | |
Source: | Code function: | 0_2_00627922 | |
Source: | Code function: | 0_2_0062DA73 | |
Source: | Code function: | 0_2_00627AAF | |
Source: | Code function: | 1_2_0041AD48 | |
Source: | Code function: | 1_2_0041CEEA | |
Source: | Code function: | 1_2_0041B33A |
Source: | Memory protected: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_0063C085 | |
Source: | Code function: | 0_2_0063622B | |
Source: | Code function: | 0_2_0063C372 | |
Source: | Code function: | 0_2_0063C327 | |
Source: | Code function: | 0_2_0063C40D | |
Source: | Code function: | 0_2_0063C498 | |
Source: | Code function: | 0_2_0063C6EB | |
Source: | Code function: | 0_2_0063C814 | |
Source: | Code function: | 0_2_0063C91A | |
Source: | Code function: | 0_2_0063C9E9 | |
Source: | Code function: | 0_2_00635D7F |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00627815 |
Source: | Code function: | 1_2_00417850 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Disable or Modify Tools | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 311 Process Injection | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Software Packing | DCSync | 23 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Avira | HEUR/AGEN.1310458 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | unknown | |
s-part-0044.t-0009.fb-t-msedge.net | 13.107.253.72 | true | false | unknown | |
fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
true | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
62.204.41.150 | unknown | United Kingdom | 30798 | TNNET-ASTNNetOyMainnetworkFI | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1528328 |
Start date and time: | 2024-10-07 19:32:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Aew8SXjXEb.exerenamed because original name is a hash value |
Original Sample Name: | c89c82ab6576a83a2a32bbffe44ef4d7.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@4/5@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.190.160.17, 40.126.32.76, 20.190.160.20, 40.126.32.74, 20.190.160.14, 40.126.32.68, 40.126.32.72, 40.126.32.134, 2.16.164.97, 2.16.164.105, 192.229.221.95, 20.42.73.29, 52.149.20.212, 2.23.209.181, 2.23.209.154, 2.23.209.160, 2.23.209.183, 2.23.209.176, 2.23.209.177, 2.23.209.158, 2.23.209.150, 2.23.209.182, 13.85.23.206, 52.165.164.15, 2.23.209.149, 2.23.209.135, 2.23.209.179, 2.23.209.141, 199.232.214.172, 93.184.221.240
- Excluded domains from analysis (whitelisted): crl.edge.digicert.com, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, wu.azureedge.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, ocsp.edge.digicert.com, onedsblobprdeus15.eastus.cloudapp.azure.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.traffic
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: Aew8SXjXEb.exe
Time | Type | Description |
---|---|---|
13:33:20 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
62.204.41.150 | Get hash | malicious | Stealc | Browse |
| |
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | Korplug | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
s-part-0044.t-0009.fb-t-msedge.net | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DarkTortilla, Snake Keylogger | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TNNET-ASTNNetOyMainnetworkFI | Get hash | malicious | Stealc | Browse |
| |
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc, Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Stealc | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
1138de370e523e824bbca92d049a3777 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | Credential Flusher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Credential Flusher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tycoon2FA | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Stealc | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aew8SXjXEb.exe_f6e7fff469788cb2a77365499845ec8544602f72_b1bf4f91_064bad09-4bab-48b2-ad3d-1b452802d532\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6552070716266695 |
Encrypted: | false |
SSDEEP: | 96:AuFoEIoQ0K2sgy9KAwf5QXIDcQvc6QcEVcw3cE/X+HbHg/5hZAX/d5FMT2SlPkpL:vBIoQj2Y0BU/wjhzuiF/Z24IO8u |
MD5: | 36FD7A1DCB3C1247D34FAF4FADC98F7C |
SHA1: | 82259CBEA81843A002FCB5D09C6FCF534645D7C3 |
SHA-256: | A9D94DCE4125DAA1D64712153B21CFDCF71CB51B2C4DD2E15F213FB383A4BAF2 |
SHA-512: | 7121243554B4E64E44573FC37DC6B479BDCC04E0A4D03D51F16D5B201A93606952C1266F610694E812205D74288053D0B83C5186DC94B1086D2CE20405D5845C |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 33388 |
Entropy (8bit): | 1.7315578571379966 |
Encrypted: | false |
SSDEEP: | 96:5u8eDXCte5Tfmi779PYB4k5/7PjqBB7wgoWI0WI4UI4g6Y9PnQDtUm:rImOSFo7wog6Y9PQDtU |
MD5: | 2325E982C3AF62E750D1603C40D0F123 |
SHA1: | 948BE6836B448E5CBBFC9A69757916F386C7892F |
SHA-256: | 2C3EA01BF708AC90799D20B9A5129A4F70E152128FB74013C71A5B2D49A87235 |
SHA-512: | DE8593A263DC8EBEFC45347D0059EA9A56B951112060B2C45F2055511BCF1AA69B92FB38B9575F5DBB94644C7C7DAF93BD697B710737FC54B9F807FD4A3D424B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8326 |
Entropy (8bit): | 3.7044698082073695 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJLt6K6YSTSUzgmfo11FprZ89bcosfYh0m:R6lXJx6K6YmSUzgmfo11OcbfYH |
MD5: | 142D9434D1EC2F75490E7C485B5AC575 |
SHA1: | A39C28EA27C19E1DA913ECE7307CC790366A68C9 |
SHA-256: | 73FDF55048AD4FF2BFD6D089522A0BC095BAAD1B5F398C3F42D3A728F3D360C4 |
SHA-512: | B7DB8D6856AF221CC135DB2464D24630A8741A21D1654CD4B2DC8DCCBAE005CB48FA695ECF7D92CC79C48AE0FF970C3205693A2D3C08312FDBFD0D71ADEA4C12 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4678 |
Entropy (8bit): | 4.499279508688192 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsDuJg77aI9c/WpW8VYzYm8M4Jx3FMx+q8wKFaQlbZd:uIjfDkI72u7VTJOyaQlbZd |
MD5: | 6C37C69F2F4B0278BAD9A9F204224A90 |
SHA1: | E046DDACD1A56512F78213998667C9D9891C870E |
SHA-256: | BBA640E7FF19AF0A052B0EB601DCDE79A7DFF15E34AE67FF87F237C0A61FC853 |
SHA-512: | 1182745E9BB2922FF7147749114EE3233F906E6C557659719FE65792C0384DCC921885B9C8889051F214990F79451FD9C56781B61C307F98B4FD97873EB55FA4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.37270797884068 |
Encrypted: | false |
SSDEEP: | 6144:MFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:8V1QyWWI/glMM6kF7Tq |
MD5: | B0D377AC8D346D6CE1784252F32A3AD7 |
SHA1: | 339AEFB092BCFB6C7180D9A96ADB8A4808EC806B |
SHA-256: | 3F50A580BA5EC6EBF8DD448FE2A98B5155D63CE2D57810DC9398BF0599CB4C45 |
SHA-512: | B691F30909137ACA72258D70B0493075B43E55F93791D4DCEA65EF23E16C1D78DFFFB06D5658D3B27740D83260533D264A2555DEDF8C39136D1389EC0BD82064 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.682336805567385 |
TrID: |
|
File name: | Aew8SXjXEb.exe |
File size: | 505'344 bytes |
MD5: | c89c82ab6576a83a2a32bbffe44ef4d7 |
SHA1: | 7a1db4e5bcdbcfa1fcd8591d2e3ee8708ab41a02 |
SHA256: | 11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44 |
SHA512: | be6f1b11dd4ec57e44ba70485a129e4c7a42261e9f1a5909026bd4b19c1d7ee445baaf775c9650761271051719cea1354e55902872d64c5180aa5271f122e862 |
SSDEEP: | 12288:CQJlka1Ilavm3yVUhEgPlV2fBqT5OY4S:Cza1WLliBqA |
TLSH: | 48B4F15174C18072D573223206F5DAB56E3EB8710A62AEDF67840FBE4F30291E7319AB |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.9.y.WUy.WUy.WU..TTu.WU..RT..WU..STl.WU..VTz.WUy.VU!.WUilTTm.WUilSTk.WUilRT4.WU1m^Tx.WU1m.Ux.WU1mUTx.WURichy.WU............... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x406f52 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67041216 [Mon Oct 7 16:53:42 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | d10af643340e1121562abe3e6bd5b0e1 |
Instruction |
---|
call 00007F431C68F460h |
jmp 00007F431C68E9CFh |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
movzx eax, word ptr [ecx+14h] |
lea edx, dword ptr [ecx+18h] |
add edx, eax |
movzx eax, word ptr [ecx+06h] |
imul esi, eax, 28h |
add esi, edx |
cmp edx, esi |
je 00007F431C68EB6Bh |
mov ecx, dword ptr [ebp+0Ch] |
cmp ecx, dword ptr [edx+0Ch] |
jc 00007F431C68EB5Ch |
mov eax, dword ptr [edx+08h] |
add eax, dword ptr [edx+0Ch] |
cmp ecx, eax |
jc 00007F431C68EB5Eh |
add edx, 28h |
cmp edx, esi |
jne 00007F431C68EB3Ch |
xor eax, eax |
pop esi |
pop ebp |
ret |
mov eax, edx |
jmp 00007F431C68EB4Bh |
push esi |
call 00007F431C68F774h |
test eax, eax |
je 00007F431C68EB72h |
mov eax, dword ptr fs:[00000018h] |
mov esi, 0047B34Ch |
mov edx, dword ptr [eax+04h] |
jmp 00007F431C68EB56h |
cmp edx, eax |
je 00007F431C68EB62h |
xor eax, eax |
mov ecx, edx |
lock cmpxchg dword ptr [esi], ecx |
test eax, eax |
jne 00007F431C68EB42h |
xor al, al |
pop esi |
ret |
mov al, 01h |
pop esi |
ret |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
jne 00007F431C68EB59h |
mov byte ptr [0047B350h], 00000001h |
call 00007F431C68EE0Ah |
call 00007F431C691D27h |
test al, al |
jne 00007F431C68EB56h |
xor al, al |
pop ebp |
ret |
call 00007F431C69A789h |
test al, al |
jne 00007F431C68EB5Ch |
push 00000000h |
call 00007F431C691D2Eh |
pop ecx |
jmp 00007F431C68EB3Bh |
mov al, 01h |
pop ebp |
ret |
push ebp |
mov ebp, esp |
cmp byte ptr [0047B351h], 00000000h |
je 00007F431C68EB56h |
mov al, 01h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2c6c0 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7c000 | 0x3d8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7d000 | 0x1ad4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2abc0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2ab00 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x23000 | 0x12c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x210f0 | 0x21200 | 15b4eac2d210513051a585f07a7e32c6 | False | 0.5865713443396227 | data | 6.670163410877792 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x23000 | 0x9d78 | 0x9e00 | bf0b7580d5fe33f288e589cde1691485 | False | 0.43517602848101267 | data | 4.9591797408068725 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x2d000 | 0x4ef78 | 0x4e200 | 09b23c62cc20b3a796248a28654b24fd | False | 0.989946875 | DOS executable (block device driver \377\377\377\377,32-bit sector-support) | 7.990487855371462 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x7c000 | 0x3d8 | 0x400 | 5584c2fd2a321b3ff4d89d84727643be | False | 0.4404296875 | data | 3.290569201128903 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7d000 | 0x1ad4 | 0x1c00 | 16092792d232aa39e24b762c0f4a37ab | False | 0.7273995535714286 | data | 6.393192590005456 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x7c058 | 0x380 | data | English | United States | 0.46205357142857145 |
DLL | Import |
---|---|
KERNEL32.dll | AttachConsole, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-07T19:33:15.882048+0200 | 2044243 | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in | 1 | 192.168.2.8 | 49707 | 62.204.41.150 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 7, 2024 19:33:10.857407093 CEST | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:11.214905024 CEST | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:11.996170998 CEST | 49676 | 443 | 192.168.2.8 | 52.182.143.211 |
Oct 7, 2024 19:33:14.621141911 CEST | 49677 | 80 | 192.168.2.8 | 192.229.211.108 |
Oct 7, 2024 19:33:14.710458994 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:14.715482950 CEST | 80 | 49707 | 62.204.41.150 | 192.168.2.8 |
Oct 7, 2024 19:33:14.715569019 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:14.715749979 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:14.720732927 CEST | 80 | 49707 | 62.204.41.150 | 192.168.2.8 |
Oct 7, 2024 19:33:15.399121046 CEST | 80 | 49707 | 62.204.41.150 | 192.168.2.8 |
Oct 7, 2024 19:33:15.399189949 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:15.403103113 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:15.408018112 CEST | 80 | 49707 | 62.204.41.150 | 192.168.2.8 |
Oct 7, 2024 19:33:15.878268957 CEST | 80 | 49707 | 62.204.41.150 | 192.168.2.8 |
Oct 7, 2024 19:33:15.882047892 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:17.163652897 CEST | 49707 | 80 | 192.168.2.8 | 62.204.41.150 |
Oct 7, 2024 19:33:20.464867115 CEST | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:20.824311972 CEST | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:22.516761065 CEST | 443 | 49706 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:22.516905069 CEST | 49706 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.714260101 CEST | 49706 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.714375973 CEST | 49706 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.718080997 CEST | 49723 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.718130112 CEST | 443 | 49723 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.718245029 CEST | 49723 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.718493938 CEST | 49723 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.718518972 CEST | 443 | 49723 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.721349955 CEST | 443 | 49706 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.721373081 CEST | 443 | 49706 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.731960058 CEST | 443 | 49723 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.734992981 CEST | 49724 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.735017061 CEST | 443 | 49724 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.735075951 CEST | 49724 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.736126900 CEST | 49724 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:33:31.736164093 CEST | 443 | 49724 | 23.206.229.226 | 192.168.2.8 |
Oct 7, 2024 19:33:31.736212969 CEST | 49724 | 443 | 192.168.2.8 | 23.206.229.226 |
Oct 7, 2024 19:34:28.011496067 CEST | 49730 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.011529922 CEST | 443 | 49730 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.011758089 CEST | 49730 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.012335062 CEST | 49730 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.012351990 CEST | 443 | 49730 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.024524927 CEST | 443 | 49730 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.024915934 CEST | 49731 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.024935961 CEST | 443 | 49731 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.025052071 CEST | 49731 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.025343895 CEST | 49731 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.025357008 CEST | 443 | 49731 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.537823915 CEST | 443 | 49731 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.538741112 CEST | 443 | 49731 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.538829088 CEST | 49731 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.604162931 CEST | 49731 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.604176998 CEST | 443 | 49731 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.634665966 CEST | 49732 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.634710073 CEST | 443 | 49732 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.634732962 CEST | 49733 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.634759903 CEST | 443 | 49733 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.634769917 CEST | 49732 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.634803057 CEST | 49733 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.635426998 CEST | 49732 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.635440111 CEST | 443 | 49732 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.635719061 CEST | 49733 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.635732889 CEST | 443 | 49733 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.636101007 CEST | 49734 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.636112928 CEST | 443 | 49734 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.636168957 CEST | 49734 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.636323929 CEST | 49734 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.636348009 CEST | 443 | 49734 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.637321949 CEST | 49735 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637345076 CEST | 443 | 49735 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.637413979 CEST | 49735 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637533903 CEST | 49735 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637545109 CEST | 443 | 49735 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.637629986 CEST | 49736 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637681961 CEST | 443 | 49736 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.637733936 CEST | 49736 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637840033 CEST | 49736 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.637859106 CEST | 443 | 49736 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.646912098 CEST | 443 | 49732 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647197008 CEST | 49737 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647227049 CEST | 443 | 49737 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647250891 CEST | 443 | 49733 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647301912 CEST | 49737 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647484064 CEST | 49737 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647496939 CEST | 443 | 49737 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647525072 CEST | 49738 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647535086 CEST | 443 | 49738 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647593021 CEST | 49738 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647685051 CEST | 49738 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.647692919 CEST | 443 | 49738 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.647888899 CEST | 443 | 49734 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648102999 CEST | 49739 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648135900 CEST | 443 | 49739 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648241043 CEST | 49739 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648293972 CEST | 49739 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648312092 CEST | 443 | 49739 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648648977 CEST | 443 | 49735 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648753881 CEST | 443 | 49736 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648801088 CEST | 49740 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648824930 CEST | 443 | 49740 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.648883104 CEST | 49740 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648967028 CEST | 49740 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648967981 CEST | 49741 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.648979902 CEST | 443 | 49740 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.649010897 CEST | 443 | 49741 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.649060965 CEST | 49741 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.649151087 CEST | 49741 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.649163008 CEST | 443 | 49741 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.660367966 CEST | 443 | 49738 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.660367966 CEST | 443 | 49737 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.662421942 CEST | 49742 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662457943 CEST | 443 | 49742 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.662472010 CEST | 49743 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662508011 CEST | 443 | 49743 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.662528038 CEST | 49742 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662561893 CEST | 49743 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662720919 CEST | 49743 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662735939 CEST | 443 | 49743 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.662760019 CEST | 49742 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.662774086 CEST | 443 | 49742 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.663367033 CEST | 443 | 49739 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.664896965 CEST | 49744 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.664932013 CEST | 443 | 49744 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.665004969 CEST | 49744 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.665154934 CEST | 49744 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.665173054 CEST | 443 | 49744 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.665256977 CEST | 443 | 49740 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.665775061 CEST | 443 | 49741 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.666703939 CEST | 49745 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.666721106 CEST | 443 | 49745 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.666789055 CEST | 49745 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.666925907 CEST | 49745 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.666940928 CEST | 443 | 49745 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.667061090 CEST | 49746 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.667069912 CEST | 443 | 49746 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.667126894 CEST | 49746 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.667298079 CEST | 49746 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.667306900 CEST | 443 | 49746 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.673858881 CEST | 443 | 49743 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.674081087 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674122095 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.674181938 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674200058 CEST | 443 | 49742 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.674520969 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674525023 CEST | 49748 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674535990 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.674561977 CEST | 443 | 49748 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.674614906 CEST | 49748 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674725056 CEST | 49748 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.674737930 CEST | 443 | 49748 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.676372051 CEST | 443 | 49744 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.676562071 CEST | 49749 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.676587105 CEST | 443 | 49749 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.676639080 CEST | 49749 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.676752090 CEST | 49749 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.676764965 CEST | 443 | 49749 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.678018093 CEST | 443 | 49745 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.678174019 CEST | 49750 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.678188086 CEST | 443 | 49750 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.678231955 CEST | 49750 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.678636074 CEST | 49750 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.678647995 CEST | 443 | 49750 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.680228949 CEST | 443 | 49746 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.680445910 CEST | 49751 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.680483103 CEST | 443 | 49751 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.680532932 CEST | 49751 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.680864096 CEST | 49751 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:28.680876970 CEST | 443 | 49751 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.703609943 CEST | 443 | 49748 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.705811977 CEST | 443 | 49749 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.706873894 CEST | 443 | 49750 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:28.707848072 CEST | 443 | 49751 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.358508110 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.358665943 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.363126040 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.363142014 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.363594055 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.373200893 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.419398069 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.477958918 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.478032112 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.478176117 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.478471994 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.478491068 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Oct 7, 2024 19:34:29.478502989 CEST | 49747 | 443 | 192.168.2.8 | 13.107.253.72 |
Oct 7, 2024 19:34:29.478513956 CEST | 443 | 49747 | 13.107.253.72 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 7, 2024 19:33:16.854921103 CEST | 1.1.1.1 | 192.168.2.8 | 0x34d5 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 7, 2024 19:33:16.854921103 CEST | 1.1.1.1 | 192.168.2.8 | 0x34d5 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
Oct 7, 2024 19:33:31.579916954 CEST | 1.1.1.1 | 192.168.2.8 | 0x8c69 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 7, 2024 19:33:31.579916954 CEST | 1.1.1.1 | 192.168.2.8 | 0x8c69 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
Oct 7, 2024 19:34:16.903925896 CEST | 1.1.1.1 | 192.168.2.8 | 0x418 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Oct 7, 2024 19:34:16.903925896 CEST | 1.1.1.1 | 192.168.2.8 | 0x418 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Oct 7, 2024 19:34:28.009830952 CEST | 1.1.1.1 | 192.168.2.8 | 0x96e4 | No error (0) | azurefd-t-fb-prod.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 7, 2024 19:34:28.009830952 CEST | 1.1.1.1 | 192.168.2.8 | 0x96e4 | No error (0) | s-part-0044.t-0009.fb-t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 7, 2024 19:34:28.009830952 CEST | 1.1.1.1 | 192.168.2.8 | 0x96e4 | No error (0) | 13.107.253.72 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49707 | 62.204.41.150 | 80 | 2332 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 7, 2024 19:33:14.715749979 CEST | 88 | OUT | |
Oct 7, 2024 19:33:15.399121046 CEST | 203 | IN | |
Oct 7, 2024 19:33:15.403103113 CEST | 419 | OUT | |
Oct 7, 2024 19:33:15.878268957 CEST | 210 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:33:13 |
Start date: | 07/10/2024 |
Path: | C:\Users\user\Desktop\Aew8SXjXEb.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x620000 |
File size: | 505'344 bytes |
MD5 hash: | C89C82AB6576A83A2A32BBFFE44EF4D7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 13:33:13 |
Start date: | 07/10/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd70000 |
File size: | 262'432 bytes |
MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 13:33:13 |
Start date: | 07/10/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x910000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 6.1% |
Total number of Nodes: | 229 |
Total number of Limit Nodes: | 3 |
Graph
Function 00622021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00636368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00638E2E Relevance: 4.7, APIs: 3, Instructions: 202COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063A3A6 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00639FAA Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0067094F Relevance: 19.6, Strings: 11, Instructions: 5885COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C9E9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063D39B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C085 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062FEF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 449COMMONLIBRARYCODE
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00627922 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C498 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063622B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062729C Relevance: 1.7, APIs: 1, Instructions: 242COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00639ABF Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C6EB Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063C91A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00627AAF Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00621D79 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063CC4B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063BB36 Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063A64C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00666628 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00622003 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00630F2E Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062A5C8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00635F4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062507A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00630F50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063F356 Relevance: 9.3, APIs: 6, Instructions: 298COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062A371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00624436 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00623DB1 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00624308 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062B3A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00641093 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0062A96D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00625107 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0063612C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 13.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.6% |
Total number of Nodes: | 1529 |
Total number of Limit Nodes: | 3 |
Graph
Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191networkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00417850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00419C10 Relevance: 18.2, APIs: 8, Strings: 2, Instructions: 684libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404880 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 479networkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004047B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00419860 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212libraryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004117A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160stringCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004169F0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004178E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004010A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00410250 Relevance: 26.6, APIs: 3, Strings: 12, Instructions: 363stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004152C0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 138stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|