Edit tour
Windows
Analysis Report
schost.exe
Overview
General Information
| Sample name: | schost.exe |
| Analysis ID: | 1579695 |
| MD5: | 4d82074854750fdba89d76624cc1e6f6 |
| SHA1: | 1cab8150956317418f64e67692072cac8472b75b |
| SHA256: | 019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
schost.exe (PID: 7316 cmdline: "C:\Users\ user\Deskt op\schost. exe" MD5: 4D82074854750FDBA89D76624CC1E6F6) 
dxdiag.exe (PID: 7332 cmdline: "C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF) - dxdiag.exe (PID: 7340 cmdline:
"C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF) - dxdiag.exe (PID: 7348 cmdline:
"C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
- cleanup
{"C2 url": "https://fixxyplanterv.click/api", "Build Version": "ZqchOa--new"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:10.417997+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:12.428698+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:14.724193+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:17.007472+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:19.306895+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:22.039255+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:24.560618+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:28.317755+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.6.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:11.160165+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:13.188279+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:29.092914+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49742 | 104.21.6.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:11.160165+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:13.188279+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:17.818275+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49734 | 104.21.6.116 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_00415971 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_0040D866 | |
| Source: | Code function: | 3_2_0043C8F0 | |
| Source: | Code function: | 3_2_00415971 | |
| Source: | Code function: | 3_2_0043CA10 | |
| Source: | Code function: | 3_2_0040E458 | |
| Source: | Code function: | 3_2_0040E458 | |
| Source: | Code function: | 3_2_0040E458 | |
| Source: | Code function: | 3_2_0043D400 | |
| Source: | Code function: | 3_2_0043D400 | |
| Source: | Code function: | 3_2_0043D400 | |
| Source: | Code function: | 3_2_0040CDD7 | |
| Source: | Code function: | 3_2_00438640 | |
| Source: | Code function: | 3_2_004227B0 | |
| Source: | Code function: | 3_2_0041805C | |
| Source: | Code function: | 3_2_00409070 | |
| Source: | Code function: | 3_2_00425800 | |
| Source: | Code function: | 3_2_00425820 | |
| Source: | Code function: | 3_2_004180EC | |
| Source: | Code function: | 3_2_004238F0 | |
| Source: | Code function: | 3_2_0040D136 | |
| Source: | Code function: | 3_2_004029C0 | |
| Source: | Code function: | 3_2_0040D9D6 | |
| Source: | Code function: | 3_2_0042A9D5 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004231F6 | |
| Source: | Code function: | 3_2_004231F6 | |
| Source: | Code function: | 3_2_0041A9B0 | |
| Source: | Code function: | 3_2_0041CA48 | |
| Source: | Code function: | 3_2_0043BA70 | |
| Source: | Code function: | 3_2_0043BA70 | |
| Source: | Code function: | 3_2_0042AAC6 | |
| Source: | Code function: | 3_2_0042AAD7 | |
| Source: | Code function: | 3_2_004082F0 | |
| Source: | Code function: | 3_2_004362F0 | |
| Source: | Code function: | 3_2_004362F0 | |
| Source: | Code function: | 3_2_00426282 | |
| Source: | Code function: | 3_2_0041DA80 | |
| Source: | Code function: | 3_2_0042AA8A | |
| Source: | Code function: | 3_2_00432AA0 | |
| Source: | Code function: | 3_2_004022B0 | |
| Source: | Code function: | 3_2_0041BB20 | |
| Source: | Code function: | 3_2_0041C330 | |
| Source: | Code function: | 3_2_00436BE4 | |
| Source: | Code function: | 3_2_00407450 | |
| Source: | Code function: | 3_2_00407450 | |
| Source: | Code function: | 3_2_004264F2 | |
| Source: | Code function: | 3_2_0043CCF0 | |
| Source: | Code function: | 3_2_0043CCF0 | |
| Source: | Code function: | 3_2_0043CCF0 | |
| Source: | Code function: | 3_2_0040A4FC | |
| Source: | Code function: | 3_2_00416CBD | |
| Source: | Code function: | 3_2_0042456F | |
| Source: | Code function: | 3_2_00421D73 | |
| Source: | Code function: | 3_2_00421D73 | |
| Source: | Code function: | 3_2_00438D70 | |
| Source: | Code function: | 3_2_00438D70 | |
| Source: | Code function: | 3_2_00417D74 | |
| Source: | Code function: | 3_2_0042A58E | |
| Source: | Code function: | 3_2_00428DB0 | |
| Source: | Code function: | 3_2_0041AEC5 | |
| Source: | Code function: | 3_2_0040DEE9 | |
| Source: | Code function: | 3_2_0043B6F0 | |
| Source: | Code function: | 3_2_0041676A | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_0043A71E | |
| Source: | Code function: | 3_2_00409730 | |
| Source: | Code function: | 3_2_0041AFD8 | |
| Source: | Code function: | 3_2_0042456F | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_004303F0 | |
| Source: | Code function: | 3_2_004303F0 | |
| Source: | Code function: | 3_2_00431262 | |
| Source: | Code function: | 3_2_00435870 | |
| Source: | Code function: | 3_2_00415971 | |
| Source: | Code function: | 3_2_00408920 | |
| Source: | Code function: | 3_2_0043CA10 | |
| Source: | Code function: | 3_2_0040AAE0 | |
| Source: | Code function: | 3_2_00420B10 | |
| Source: | Code function: | 3_2_0040E458 | |
| Source: | Code function: | 3_2_0043D400 | |
| Source: | Code function: | 3_2_00425480 | |
| Source: | Code function: | 3_2_00435530 | |
| Source: | Code function: | 3_2_00438640 | |
| Source: | Code function: | 3_2_0043A7F4 | |
| Source: | Code function: | 3_2_004227B0 | |
| Source: | Code function: | 3_2_0043D040 | |
| Source: | Code function: | 3_2_00414860 | |
| Source: | Code function: | 3_2_00433875 | |
| Source: | Code function: | 3_2_00425800 | |
| Source: | Code function: | 3_2_00425820 | |
| Source: | Code function: | 3_2_0042683C | |
| Source: | Code function: | 3_2_0041D0C0 | |
| Source: | Code function: | 3_2_004230C0 | |
| Source: | Code function: | 3_2_004238F0 | |
| Source: | Code function: | 3_2_00403950 | |
| Source: | Code function: | 3_2_0040F116 | |
| Source: | Code function: | 3_2_0040E122 | |
| Source: | Code function: | 3_2_0040B124 | |
| Source: | Code function: | 3_2_004281C0 | |
| Source: | Code function: | 3_2_0040D9D6 | |
| Source: | Code function: | 3_2_0042A9D5 | |
| Source: | Code function: | 3_2_004061E0 | |
| Source: | Code function: | 3_2_004181E9 | |
| Source: | Code function: | 3_2_004231F6 | |
| Source: | Code function: | 3_2_00405980 | |
| Source: | Code function: | 3_2_00436980 | |
| Source: | Code function: | 3_2_00414860 | |
| Source: | Code function: | 3_2_0043BA70 | |
| Source: | Code function: | 3_2_00412200 | |
| Source: | Code function: | 3_2_00426A10 | |
| Source: | Code function: | 3_2_00419219 | |
| Source: | Code function: | 3_2_0042AAC6 | |
| Source: | Code function: | 3_2_004092D0 | |
| Source: | Code function: | 3_2_0042AAD7 | |
| Source: | Code function: | 3_2_004082F0 | |
| Source: | Code function: | 3_2_004362F0 | |
| Source: | Code function: | 3_2_0041DA80 | |
| Source: | Code function: | 3_2_0042AA8A | |
| Source: | Code function: | 3_2_00438A90 | |
| Source: | Code function: | 3_2_00427365 | |
| Source: | Code function: | 3_2_0040FB71 | |
| Source: | Code function: | 3_2_00404300 | |
| Source: | Code function: | 3_2_0041BB20 | |
| Source: | Code function: | 3_2_0041C330 | |
| Source: | Code function: | 3_2_00436BE4 | |
| Source: | Code function: | 3_2_00402B90 | |
| Source: | Code function: | 3_2_00404C50 | |
| Source: | Code function: | 3_2_00407450 | |
| Source: | Code function: | 3_2_00434463 | |
| Source: | Code function: | 3_2_00415460 | |
| Source: | Code function: | 3_2_00434C70 | |
| Source: | Code function: | 3_2_00427C0F | |
| Source: | Code function: | 3_2_0041D4C0 | |
| Source: | Code function: | 3_2_0043CCF0 | |
| Source: | Code function: | 3_2_0041EC80 | |
| Source: | Code function: | 3_2_0042E480 | |
| Source: | Code function: | 3_2_00416CBD | |
| Source: | Code function: | 3_2_0042456F | |
| Source: | Code function: | 3_2_00421D73 | |
| Source: | Code function: | 3_2_00438D70 | |
| Source: | Code function: | 3_2_00417D74 | |
| Source: | Code function: | 3_2_00424DD0 | |
| Source: | Code function: | 3_2_0041BE71 | |
| Source: | Code function: | 3_2_00406670 | |
| Source: | Code function: | 3_2_0040EE70 | |
| Source: | Code function: | 3_2_0041CE00 | |
| Source: | Code function: | 3_2_00434ED0 | |
| Source: | Code function: | 3_2_004216E0 | |
| Source: | Code function: | 3_2_0043B6F0 | |
| Source: | Code function: | 3_2_00415FA1 | |
| Source: | Code function: | 3_2_00417742 | |
| Source: | Code function: | 3_2_00402F50 | |
| Source: | Code function: | 3_2_0041676A | |
| Source: | Code function: | 3_2_00419710 | |
| Source: | Code function: | 3_2_00411712 | |
| Source: | Code function: | 3_2_0040C72B | |
| Source: | Code function: | 3_2_00409730 | |
| Source: | Code function: | 3_2_004277E0 | |
| Source: | Code function: | 3_2_0043B7E0 | |
| Source: | Code function: | 3_2_0042779B | |
| Source: | Code function: | 3_2_00415FA1 | |
| Source: | Code function: | 3_2_0041A7A0 | |
| Source: | Code function: | 3_2_0042456F | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_00435870 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_00442905 | |
| Source: | Code function: | 3_2_00438A0E | |
| Source: | Code function: | 3_2_004423ED | |
| Source: | Code function: | 3_2_0043B692 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_00439E40 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF7B0C05D6C | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 54% | Virustotal | Browse | ||
| 58% | ReversingLabs | Win32.Exploit.LummaC | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fixxyplanterv.click | 104.21.6.116 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| true | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.6.116 | fixxyplanterv.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1579695 |
| Start date and time: | 2024-12-23 07:32:13 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 56s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | schost.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@7/0@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target schost.exe, PID 7316 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 01:33:10 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.767097954057833 |
| TrID: |
|
| File name: | schost.exe |
| File size: | 13'084'160 bytes |
| MD5: | 4d82074854750fdba89d76624cc1e6f6 |
| SHA1: | 1cab8150956317418f64e67692072cac8472b75b |
| SHA256: | 019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d |
| SHA512: | 068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d |
| SSDEEP: | 196608:hL1kxR9F9KENR9N4bQOZNxVs0eb+CwRVu4fpbr7vOSPFjytXwt4TPnqunXcHF91v:uF3zv8Zrqb+CUuubX26jytnTPjnXcBv |
| TLSH: | 6CD6D01D7EB7F9ECB07E503A861712338A77615C0A27A2F671A34650EE0B1A64FE3135 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....[g..........".................X].........@.............................0......g.....`........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x1400d5d58 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x675B13DF [Thu Dec 12 16:48:31 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7bb4e8cef6a9f350a8f5dc71e7b3773c |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FE91060FEE0h |
| dec eax |
| add esp, 28h |
| jmp 00007FE91060FD4Fh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+18h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 30h |
| dec eax |
| mov eax, dword ptr [00B572C0h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007FE91060FF46h |
| dec eax |
| and dword ptr [ebp+10h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| call dword ptr [00A1156Ah] |
| dec eax |
| mov eax, dword ptr [ebp+10h] |
| dec eax |
| mov dword ptr [ebp-10h], eax |
| call dword ptr [00A114ECh] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [00A114D8h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [00A115D0h] |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+18h] |
| dec eax |
| xor eax, dword ptr [ebp-10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xae6ef8 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc38000 | 0x1b4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xc31000 | 0x32dc | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc39000 | 0x495f8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xae6520 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xadd6b0 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xae71c0 | 0x2a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xebf06 | 0xec000 | f077e891ef49b29a01b23649d9933970 | False | 0.4997662043167373 | data | 6.569703029269052 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xed000 | 0x9fed94 | 0x9fee00 | 5ada00a0a9adad51da8233e9524a43b5 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xaec000 | 0x144990 | 0x142000 | fc6fa67ec1b735a686c48250ee98e703 | False | 0.2727498119662267 | data | 4.999685941787632 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xc31000 | 0x32dc | 0x3400 | f2e0fbca580d7b6a3dbffd995f27a909 | False | 0.5103665865384616 | data | 5.797187617935086 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .fptable | 0xc35000 | 0x100 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xc36000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0xc37000 | 0x280 | 0x400 | e8618c72264b53e612f4176d4c788223 | False | 0.2900390625 | data | 3.1924568878086177 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xc38000 | 0x1b4 | 0x200 | d8e2ab6591d51d1e028636851ebbd973 | False | 0.48828125 | data | 5.103911525545503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xc39000 | 0x495f8 | 0x49600 | 266714dd9a826a9200d118b70e4a7be2 | False | 0.014483736158432708 | data | 5.431539098658791 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xc38058 | 0x15b | ASCII text, with CRLF line terminators | English | United States | 0.5446685878962536 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-23T07:33:10.417997+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:11.160165+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:11.160165+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:12.428698+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:13.188279+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:13.188279+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:14.724193+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:17.007472+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:17.818275+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49734 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:19.306895+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:22.039255+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:24.560618+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:28.317755+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 104.21.6.116 | 443 | TCP |
| 2024-12-23T07:33:29.092914+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49742 | 104.21.6.116 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 23, 2024 07:33:09.184736967 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:09.184794903 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:09.184912920 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:09.189460039 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:09.189471960 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:10.417915106 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:10.417996883 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:10.421681881 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:10.421694040 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:10.422106028 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:10.463381052 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:10.482479095 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:10.482479095 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:10.482825041 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.160200119 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.160465956 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.160613060 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.162118912 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.162118912 CET | 49731 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.162139893 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.162166119 CET | 443 | 49731 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.210084915 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.210199118 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:11.210305929 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.210582972 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:11.210621119 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:12.428555012 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:12.428698063 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:12.462615967 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:12.462672949 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:12.463013887 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:12.481021881 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:12.481089115 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:12.481141090 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.188252926 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.188313961 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.188350916 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.188395023 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.188469887 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.188529968 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.188548088 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.197207928 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.197261095 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.197278023 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.205236912 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.205368042 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.205404043 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.260243893 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.260263920 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.307132959 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.307847977 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.353990078 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.353998899 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.383603096 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.383676052 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.383690119 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.383809090 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.383856058 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.383938074 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.383954048 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.383970022 CET | 49732 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.383977890 CET | 443 | 49732 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.508793116 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.508857012 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:13.508936882 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.509232044 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:13.509247065 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:14.724050045 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:14.724193096 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:14.725847960 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:14.725871086 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:14.726115942 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:14.727653980 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:14.727835894 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:14.727870941 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:14.727958918 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:14.727972031 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:15.647197962 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:15.647310972 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:15.647377968 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:15.647619009 CET | 49733 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:15.647651911 CET | 443 | 49733 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:15.792813063 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:15.792874098 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:15.792954922 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:15.793387890 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:15.793402910 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.007373095 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.007472038 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.009079933 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.009100914 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.009406090 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.010673046 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.010831118 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.010862112 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.818295956 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.818401098 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:17.818483114 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.818723917 CET | 49734 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:17.818749905 CET | 443 | 49734 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:18.094255924 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:18.094331980 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:18.094419956 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:18.094829082 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:18.094842911 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:19.306663990 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:19.306895018 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:19.308713913 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:19.308727026 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:19.309007883 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:19.310388088 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:19.310544014 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:19.310570955 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:19.310643911 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:19.310652018 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:20.264800072 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:20.264923096 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:20.264975071 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:20.265054941 CET | 49735 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:20.265074015 CET | 443 | 49735 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:20.828407049 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:20.828470945 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:20.828536987 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:20.828836918 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:20.828850031 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.039182901 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.039254904 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.040678978 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.040688038 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.040926933 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.042274952 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.042376041 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.042382002 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.806054115 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.806154013 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:22.806236029 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.806337118 CET | 49736 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:22.806351900 CET | 443 | 49736 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:23.348769903 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:23.348819017 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:23.348942041 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:23.349256039 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:23.349267006 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.560537100 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.560617924 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.562094927 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.562104940 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.562367916 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.564054966 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.564546108 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.564573050 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.564671040 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.564694881 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.564802885 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.564857006 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.564971924 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565001011 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.565136909 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565169096 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.565321922 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565350056 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.565360069 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565371037 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.565536022 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565563917 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.565596104 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565726995 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.565764904 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.607333899 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.607584953 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.607635975 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.607659101 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.607682943 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:24.607711077 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:24.607724905 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:27.087215900 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:27.087496042 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:27.087553978 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:27.087615013 CET | 49738 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:27.087626934 CET | 443 | 49738 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:27.104779959 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:27.104878902 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:27.104964018 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:27.105237961 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:27.105271101 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:28.317684889 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:28.317754984 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:28.319716930 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:28.319731951 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:28.319987059 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:28.362360001 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:28.362406015 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:28.362591982 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:29.092972994 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:29.093216896 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:29.095163107 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:29.095305920 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:29.095367908 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Dec 23, 2024 07:33:29.095395088 CET | 49742 | 443 | 192.168.2.4 | 104.21.6.116 |
| Dec 23, 2024 07:33:29.095412970 CET | 443 | 49742 | 104.21.6.116 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 23, 2024 07:33:08.750679016 CET | 51000 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 23, 2024 07:33:09.149389982 CET | 53 | 51000 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 23, 2024 07:33:08.750679016 CET | 192.168.2.4 | 1.1.1.1 | 0x8242 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 23, 2024 07:33:09.149389982 CET | 1.1.1.1 | 192.168.2.4 | 0x8242 | No error (0) | 104.21.6.116 | A (IP address) | IN (0x0001) | false | ||
| Dec 23, 2024 07:33:09.149389982 CET | 1.1.1.1 | 192.168.2.4 | 0x8242 | No error (0) | 172.67.134.197 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:10 UTC | 266 | OUT | |
| 2024-12-23 06:33:10 UTC | 8 | OUT | |
| 2024-12-23 06:33:11 UTC | 1129 | IN | |
| 2024-12-23 06:33:11 UTC | 7 | IN | |
| 2024-12-23 06:33:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:12 UTC | 267 | OUT | |
| 2024-12-23 06:33:12 UTC | 45 | OUT | |
| 2024-12-23 06:33:13 UTC | 1133 | IN | |
| 2024-12-23 06:33:13 UTC | 236 | IN | |
| 2024-12-23 06:33:13 UTC | 903 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN | |
| 2024-12-23 06:33:13 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49733 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:14 UTC | 280 | OUT | |
| 2024-12-23 06:33:14 UTC | 15331 | OUT | |
| 2024-12-23 06:33:14 UTC | 2800 | OUT | |
| 2024-12-23 06:33:15 UTC | 1129 | IN | |
| 2024-12-23 06:33:15 UTC | 20 | IN | |
| 2024-12-23 06:33:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49734 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:17 UTC | 282 | OUT | |
| 2024-12-23 06:33:17 UTC | 8770 | OUT | |
| 2024-12-23 06:33:17 UTC | 1127 | IN | |
| 2024-12-23 06:33:17 UTC | 20 | IN | |
| 2024-12-23 06:33:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49735 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:19 UTC | 278 | OUT | |
| 2024-12-23 06:33:19 UTC | 15331 | OUT | |
| 2024-12-23 06:33:19 UTC | 5062 | OUT | |
| 2024-12-23 06:33:20 UTC | 1123 | IN | |
| 2024-12-23 06:33:20 UTC | 20 | IN | |
| 2024-12-23 06:33:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49736 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:22 UTC | 284 | OUT | |
| 2024-12-23 06:33:22 UTC | 1243 | OUT | |
| 2024-12-23 06:33:22 UTC | 1130 | IN | |
| 2024-12-23 06:33:22 UTC | 20 | IN | |
| 2024-12-23 06:33:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49738 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:24 UTC | 282 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:24 UTC | 15331 | OUT | |
| 2024-12-23 06:33:27 UTC | 1137 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49742 | 104.21.6.116 | 443 | 7348 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-23 06:33:28 UTC | 267 | OUT | |
| 2024-12-23 06:33:28 UTC | 80 | OUT | |
| 2024-12-23 06:33:29 UTC | 1135 | IN | |
| 2024-12-23 06:33:29 UTC | 54 | IN | |
| 2024-12-23 06:33:29 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 01:33:07 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\schost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7b0b30000 |
| File size: | 13'084'160 bytes |
| MD5 hash: | 4D82074854750FDBA89D76624CC1E6F6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 01:33:07 |
| Start date: | 23/12/2024 |
| Path: | C:\Windows\SysWOW64\dxdiag.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xe40000 |
| File size: | 222'720 bytes |
| MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 01:33:08 |
| Start date: | 23/12/2024 |
| Path: | C:\Windows\SysWOW64\dxdiag.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xe40000 |
| File size: | 222'720 bytes |
| MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 01:33:08 |
| Start date: | 23/12/2024 |
| Path: | C:\Windows\SysWOW64\dxdiag.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe40000 |
| File size: | 222'720 bytes |
| MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Function 00007FF7B0C05D6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 68.2% |
| Total number of Nodes: | 302 |
| Total number of Limit Nodes: | 7 |
Graph
Function 00435870 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 661memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CDD7 Relevance: 10.3, Strings: 8, Instructions: 291COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420B10 Relevance: 8.0, Strings: 6, Instructions: 515COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408920 Relevance: 6.1, APIs: 4, Instructions: 116threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AAE0 Relevance: 5.4, Strings: 4, Instructions: 370COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415971 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 457encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425480 Relevance: 2.8, Strings: 2, Instructions: 315COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439E40 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438640 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C8F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D400 Relevance: .3, Instructions: 336COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CA10 Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435530 Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A7F4 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D866 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433195 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439DE0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F18E Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CEE6 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438612 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004385E0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004238F0 Relevance: 21.8, Strings: 17, Instructions: 517COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434ED0 Relevance: 21.6, Strings: 17, Instructions: 319COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004303F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 124clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041676A Relevance: 20.4, Strings: 16, Instructions: 364COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B124 Relevance: 19.1, Strings: 15, Instructions: 302COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DA80 Relevance: 15.9, Strings: 12, Instructions: 904COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417742 Relevance: 10.5, Strings: 8, Instructions: 526COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004092D0 Relevance: 10.4, Strings: 8, Instructions: 436COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427365 Relevance: 10.3, Strings: 8, Instructions: 338COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042456F Relevance: 9.1, Strings: 7, Instructions: 366COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004281C0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AFD8 Relevance: 7.7, Strings: 6, Instructions: 153COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042683C Relevance: 6.8, Strings: 5, Instructions: 527COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424DD0 Relevance: 6.6, Strings: 5, Instructions: 369COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409730 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BB20 Relevance: 5.3, Strings: 4, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419219 Relevance: 5.3, Strings: 4, Instructions: 274COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421D73 Relevance: 4.5, Strings: 3, Instructions: 737COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042779B Relevance: 4.2, Strings: 3, Instructions: 443COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004277E0 Relevance: 4.2, Strings: 3, Instructions: 436COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436BE4 Relevance: 4.2, Strings: 3, Instructions: 426COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415460 Relevance: 4.2, Strings: 3, Instructions: 408COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A9D5 Relevance: 4.1, Strings: 3, Instructions: 388COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AA8A Relevance: 4.1, Strings: 3, Instructions: 365COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AAD7 Relevance: 4.1, Strings: 3, Instructions: 364COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AAC6 Relevance: 4.1, Strings: 3, Instructions: 339COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004230C0 Relevance: 4.0, Strings: 3, Instructions: 285COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DEE9 Relevance: 3.9, Strings: 3, Instructions: 140COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414860 Relevance: 3.6, Strings: 2, Instructions: 1055COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C50 Relevance: 3.3, Strings: 2, Instructions: 805COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438D70 Relevance: 3.3, Strings: 2, Instructions: 755COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416CBD Relevance: 3.2, Strings: 2, Instructions: 743COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425820 Relevance: 3.1, Strings: 2, Instructions: 614COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415FA1 Relevance: 3.1, Strings: 2, Instructions: 606COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004231F6 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BE71 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404300 Relevance: 2.8, Strings: 2, Instructions: 335COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C72B Relevance: 2.8, Strings: 2, Instructions: 256COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040FB71 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004181E9 Relevance: 2.0, Strings: 1, Instructions: 793COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004216E0 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C330 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427C0F Relevance: 1.6, Strings: 1, Instructions: 324COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409070 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CE00 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417D74 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A71E Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F116 Relevance: .7, Instructions: 745COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406670 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EC80 Relevance: .7, Instructions: 658COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F50 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407450 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403950 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411712 Relevance: .5, Instructions: 546COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BA70 Relevance: .5, Instructions: 504COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004362F0 Relevance: .5, Instructions: 482COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004082F0 Relevance: .4, Instructions: 429COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405980 Relevance: .4, Instructions: 400COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D040 Relevance: .4, Instructions: 364COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D0C0 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CCF0 Relevance: .3, Instructions: 307COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004061E0 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434463 Relevance: .3, Instructions: 293COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D4C0 Relevance: .3, Instructions: 286COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E480 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EE70 Relevance: .2, Instructions: 220COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438A90 Relevance: .2, Instructions: 212COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426A10 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CA48 Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B6F0 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A9B0 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022B0 Relevance: .2, Instructions: 199COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426282 Relevance: .2, Instructions: 195COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434C70 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004264F2 Relevance: .2, Instructions: 188COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433875 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E122 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436980 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A7A0 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004029C0 Relevance: .2, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D9D6 Relevance: .2, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B7E0 Relevance: .1, Instructions: 124COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D136 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AEC5 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B90 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004180EC Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432AA0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428DB0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A58E Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041805C Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A4FC Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|