Edit tour
Windows
Analysis Report
random.exe
Overview
General Information
| Sample name: | random.exe |
| Analysis ID: | 1587500 |
| MD5: | 82b0dd4607ce761914ac07d3d585ed55 |
| SHA1: | 4621e732feb0470f3a036cd01dc273624a6e790c |
| SHA256: | 20f96c72f95343c306164d0fdff253d50d85de272a5d3113d9e411aba467eb51 |
| Tags: | exemalwaretrojanuser-Joker |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
random.exe (PID: 7424 cmdline: "C:\Users\ user\Deskt op\random. exe" MD5: 82B0DD4607CE761914AC07D3D585ED55) 
cmd.exe (PID: 7572 cmdline: "C:\Window s\System32 \cmd.exe" /c move Me anwhile Me anwhile.cm d & Meanwh ile.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7640 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7656 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7684 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7692 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7732 cmdline:
cmd /c md 65452 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 7748 cmdline:
extrac32 / Y /E Lesbi ans MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 7768 cmdline:
findstr /V "Light" N atural MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7784 cmdline:
cmd /c cop y /b 65452 \Thu.com + Patrick + Diamonds + Haven + Boutique + Samples + Drunk + A da + Myrtl e + China + Situated + Beverag es 65452\T hu.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 7800 cmdline:
cmd /c cop y /b ..\Ta rgeted + . .\Cartridg e + ..\Def ensive + . .\Alert + ..\Postcar ds + ..\Co nsiderable + ..\Ht u MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Thu.com (PID: 7816 cmdline: Thu.com u MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 7832 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:39.324161+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:40.275660+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:41.388055+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49858 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:42.464974+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49864 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:43.522237+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49875 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:53.237851+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49937 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:54.519053+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49944 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:56.538342+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49959 | 104.21.79.9 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:39.799330+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:40.732691+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:57.015445+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49959 | 104.21.79.9 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:39.799330+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:40.732691+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:41.971565+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49858 | 104.21.79.9 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004050CD | |
| Source: | Code function: | 0_2_004044A5 | |
| Source: | Code function: | 0_2_00403883 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040497C | |
| Source: | Code function: | 0_2_00406ED2 | |
| Source: | Code function: | 0_2_004074BB | |
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004044A5 | |
| Source: | Code function: | 0_2_004024FB | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062FC | |
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004062FC | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406805 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 111 Masquerading | 2 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 11 Input Capture | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 13 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 13 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 14% | Virustotal | Browse | ||
| 16% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
| rampnatleadk.click | 104.21.79.9 | true | true | unknown | |
| NuDhrzFppayELEuGk.NuDhrzFppayELEuGk | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.79.9 | rampnatleadk.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587500 |
| Start date and time: | 2025-01-10 13:36:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | random.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@26/24@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 40.126.31.69, 20.190.159.0, 20.190.159.2, 20.190.159.4, 40.126.31.73, 40.126.31.67, 20.190.159.23, 20.190.159.73, 13.107.246.45, 4.175.87.197
- Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 07:37:15 | API Interceptor | |
| 07:37:38 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.79.9 | Get hash | malicious | HTMLPhisher | Browse | ||
| Get hash | malicious | Metasploit | Browse | |||
| Get hash | malicious | Metasploit | Browse | |||
| Get hash | malicious | Metasploit | Browse | |||
| Get hash | malicious | Metasploit | Browse | |||
| Get hash | malicious | Metasploit | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | Get hash | malicious | Strela Downloader | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | KnowBe4 | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Remcos | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 483776 |
| Entropy (8bit): | 7.999658628044146 |
| Encrypted: | true |
| SSDEEP: | 12288:1JgLjmticjCsfmJQMtbeKRyhtbgLvZyn9/SXEnI40hWBwf:1ewicj5+7qdhtEMn96El0hWq |
| MD5: | A6CD3D383E8B40F11B1778A14A72B3DC |
| SHA1: | A4F649DF47DEF118E15B4C922856DD9AE071C7B1 |
| SHA-256: | 5DDC1A0E891B0DD2C5AEF3E9B3D1E86E968489B88264E85F53F95EB4F40CA903 |
| SHA-512: | 6D554096A3980EB5160691588EE88B9E97DC3712E8D5058F58C8F5A222BCE8E1530CF702E34DDA1F353EACF9C03B1E7707751BDF1864839E847D103CF3943E12 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 88064 |
| Entropy (8bit): | 5.976414166073731 |
| Encrypted: | false |
| SSDEEP: | 1536:tfv2j62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuu:B2jfTq8QLeAg0Fuz08XvBNbe |
| MD5: | E7DAD7C10471AEB4DE5D87C9B2279182 |
| SHA1: | 0B50C90E12F76AAB4F94E02FF73C69A373FB897D |
| SHA-256: | D8264B4C15D18C40C999054DFAC06849D6F6B11640F1B705E69DDE6ABD87FEE1 |
| SHA-512: | 47E3718E870DAAF31BC13B8BB2F615F8FD9A4FC7D1158BBF73EACE2EB4AF6D7BAC0623CE19BF82B5B59D714AB7E909021B087FA0C3622CF3C3DC2974A1DA30DB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87040 |
| Entropy (8bit): | 7.997812313439762 |
| Encrypted: | true |
| SSDEEP: | 1536:SwnR0701JD9ic2iWe86AjS8fPGZNeBU0ZLewfTO+Xou7T6np5q9tNDlwgaWwOz5L:SSakh0iWe86AjSOEezzTOSofnDen+Jjm |
| MD5: | CE8C590592724ED4670344FB9F030142 |
| SHA1: | 9F513CF74FBEC5DB3D3DBE09C6AEFEA6771F3983 |
| SHA-256: | BA3289497C6E2952A1F7EACEDD846E76385BC2366D5B10FA64ACDD7052150A36 |
| SHA-512: | 16AF27D045DC099F6EFBE17476A58520077CE31CF3540FA42DE9E04F249C86FFEE965B14C0E9A2A9185A9D02035B56C78C35AFAF8F03EF661000511BDA0C9EF7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6646 |
| Entropy (8bit): | 7.596682957241826 |
| Encrypted: | false |
| SSDEEP: | 192:7N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:qVEVFJ8ZcGwGBk7/UMQ3rw |
| MD5: | 485893BA0365E6619496DF76AB9FE18C |
| SHA1: | D73D1EA4C1E619FCE50C855AD834CA5165AEEDF0 |
| SHA-256: | 38255E04FCEB6B20562255BE4B5EBD1D6F9DBA72DEB4ABD350216491D19F98C4 |
| SHA-512: | 02E29FA4F573766207D52F5E3D12AD89D763DF21431A673A2E72EB330F40E3C31E3CB93501CCC21A1F54E678C7A92363BA87B2983EE768D7C9E5EE48F211552D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 148480 |
| Entropy (8bit): | 6.663746659725759 |
| Encrypted: | false |
| SSDEEP: | 3072:xPtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnD:/COMVIPPL/sZ7HS3zcNPj0nEo3D |
| MD5: | 54833E3A62484385B41A2F61B89E780B |
| SHA1: | 2B480F8F2A1D61166420D4601C79F53D1825A707 |
| SHA-256: | 314FBADE578479A7583C4C3FD3DB2C3B926BB322B60BB7077AB76C55710B08E0 |
| SHA-512: | CDA303E3DD66475A03F5D45A01E60A6F68151DED88825C080FBD8AB6872AA4350F87CDED176C9E093CA2471CE7DA31EBC1BE6D2FEF5573155453D8EF185832A8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51200 |
| Entropy (8bit): | 7.996446510315768 |
| Encrypted: | true |
| SSDEEP: | 1536:AAExC1rq4dGLlD0kAzST+OtXnSdY/qcE6E5cFb:AAicrqTL/AzR8XSa/5QC |
| MD5: | F6E47B67FE7B4937ED799D78AA9383E5 |
| SHA1: | 69ECF3DBFB9266FBC5A4D02301CC24F79B124FA2 |
| SHA-256: | C2A4A03E6FA006E62B247F60B8A83EEF90886B30CFEF90916F7F4AC493676808 |
| SHA-512: | 2CEEF4C33F3428BCBC52392E5CC193708F7A3CD5952822677284E5FAEDF443750612AAB34F2A997FB27A80E4A2214813D4BD9B4772D482A613D35B8D0A4CD290 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71680 |
| Entropy (8bit): | 4.794944962014722 |
| Encrypted: | false |
| SSDEEP: | 768:MAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8qcDP8WBosd0bHazf0T:MAsAhxjgarB/5el3EYrDWyu0ui |
| MD5: | 9AAD350403FBCD2B04A8F2A04ADF8E1F |
| SHA1: | A27BD9415ED68D9C34254CC68FB9ABDED8BB981E |
| SHA-256: | F65A05E7DEDD3A6217B5C45C989F9FA0422FB3C40B03E3A8044B73F58366B5CF |
| SHA-512: | AA9EE17191A3D8261D6EEF01A26B501F98EF8F99545785B36873359F5B27D9181F5ABDD7E566D520A40D66356182EBBDDBD74156935C21EE6150DAF7C4398593 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 7.997954172053817 |
| Encrypted: | true |
| SSDEEP: | 1536:3Ao8/LViOfBv1KDX1D1V37qh2V4wRj/dmOeN+zxVFGgReFv0/i7oYM0KrQfWy4S/:38/LwOZv1kFn+uj/oBsFjeFvBoR0KK/3 |
| MD5: | 582F79EC93D7986F4AC4ADA8F4B6F230 |
| SHA1: | 1756E974DBB027368B704F966AE3513876BD9404 |
| SHA-256: | 74580677AC85AC203711F5055C844F7231B7CF6D8E39721CDD1D759034FCEAC0 |
| SHA-512: | C3C5956D457F4A65BE8CAA325A6138B2FEDE04472EC55CDD5E9D67F105C0CFC74896A2EABA5C2873FAEF4342E0F269A2C14B92D611986A2BF1C5620708E3AA0A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 90112 |
| Entropy (8bit): | 7.997818106578467 |
| Encrypted: | true |
| SSDEEP: | 1536:kI8AQkATMXv0XOimF+SMoZ8MsMXgvj+PpIaL71kvdMbgZiU1ON/Igu2ArB:kI8hTMX8XOiz1MQv+JF6dMbvUUBvPArB |
| MD5: | 2C52B361927E9C023B405FD270B733BE |
| SHA1: | 82ECEB8CF13F8DC270C68C89A620D8BFE7673259 |
| SHA-256: | 4D335D3CE94C40BEA4B86976C1F833E4CA9F6F1EEB5F455673C867A1DEA43CB0 |
| SHA-512: | 2183FFF7E14B98F8BB88BF33D849B7CBB8CDC11FA65338B49234553B55B3573F5061412A5CA96D1A0101FEE00AAF288B1703E24EB125A6CC25DFC811C0AAA193 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 117760 |
| Entropy (8bit): | 6.655214139320167 |
| Encrypted: | false |
| SSDEEP: | 3072:YaW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQF:YoUDtf0accB3gBmmLsiS+F |
| MD5: | B29BFE6D19AD6757965FBA08E57D5D82 |
| SHA1: | 0AFCA9E7A6936064ED8E14AC29B2DFD83A3A5617 |
| SHA-256: | F871EB3DCDA6C25D7A182ABA8B01DE2E24BABA42B93D78CA644BD6E70BC4BFB6 |
| SHA-512: | EC815B201F7BD80B31ED8A4817C4D3C1B76D954CC5075E5361400F430E629D11D5F6284D880262C4C7A645F81F0CC4D6331D4928CE4C898F4BC5989E23D2C9CA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 136192 |
| Entropy (8bit): | 6.573619270501074 |
| Encrypted: | false |
| SSDEEP: | 3072:KSv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9i:dvmVnjphfhnvO5bLezWWt/Dd314V14ZN |
| MD5: | 8747F478F628944842AF7753A40B0B89 |
| SHA1: | 03E68D87AE3376339E14402A3A3E2774FA66EF91 |
| SHA-256: | 84DFFA32EA835A716E2DE5E4942AC771EF1E049077D4088900F213D63C7CC591 |
| SHA-512: | C3BCC458D4BE37DC7843ECAF4222AA7F800C710439FEBC10ED9C17135280AC60E109D71A3E0BFB3FF4FE78FB668BB9A946D87115DB47BE66CBB7516D7CDA47C0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 63488 |
| Entropy (8bit): | 6.740233929896918 |
| Encrypted: | false |
| SSDEEP: | 1536:Mh+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVc:MAU4CE0Imbi8I |
| MD5: | 0A3335287B3EE7D849C7F0620E451C62 |
| SHA1: | 71D5366EC395218A37370485BCE2632FC40F6F18 |
| SHA-256: | E54D4354E9AF7A915C3D7F26E0E4D0A7A1B30597B09E44CCCC3F3254789E58DB |
| SHA-512: | DFF728D5C25268B68117FBC1238BBCA40239C1D66EEF57C1714DADD4C5144BC9F959589DCEB82249F8DB3D035232174BBA71CD34EE7C417BE1DF40C1D401AD66 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 52672 |
| Entropy (8bit): | 7.996416938866434 |
| Encrypted: | true |
| SSDEEP: | 1536:UD1ldug/xoTNnzS+cPbRa/OAz5+dBrHQpAOFhaG:UZFeJzqbo/H5YBrHNuf |
| MD5: | 3F2483C5DBD68F74CB53BD420A4104A5 |
| SHA1: | 5E5EB4131914F77DCF064B62D7D0EBB9AD1E0E59 |
| SHA-256: | 69BB48ED643EDB2986951C62784E52FF9160C022BC69C72E2180E29ECF117149 |
| SHA-512: | C77EE857C0E6509ED2641627769C0E797FC616CB9E75317E141B40F82359AC49C48CB610D7CB4662D624628C266C56752F297E02E445BCFE33D7737A223104DD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 489645 |
| Entropy (8bit): | 7.99845867950559 |
| Encrypted: | true |
| SSDEEP: | 12288:yoAVtA0EwiiuxBpcu21AFKIJ5l13wqBcFE7+/x+NxIQ:yoAVtUXrr2OFTwqGmgs8Q |
| MD5: | 215D1E37EC89699320D7AEA64F5D87A5 |
| SHA1: | 8D2EFFBEDBA47D04DFED215462A71333DF8E6A5B |
| SHA-256: | 7B05699FEB654BDFCE048D2EB1D8974B7BDADCAD5D6451BF613EDE4D4E1ECD5F |
| SHA-512: | D9F8BFBDC4A9594EC7885BCEAA2167B87FC1DE989D9EDEFFCDF99E96BE53E21A19F375330C8C10BC885473B3CF31465C525733CE3B1EEBF08AEBDBC1A6F6D003 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11943 |
| Entropy (8bit): | 5.1664273494538255 |
| Encrypted: | false |
| SSDEEP: | 192:ZIbkINBjVgHobKxCtlSPLdFy1Q5EAVe58+pWbFI/BkZxqGyiy+ruVue+8mGroQh:aAI2aQCnIzYQ5P8q+pghy+47mhq |
| MD5: | F54F9A9722A00681590A763B976A045A |
| SHA1: | CA7DD2B9E413D7A78C6CC07DF941C045DBFF9D8B |
| SHA-256: | 3ED01CAABFFA5C8D4118788F2C639DAA0ABEFB7728B6BF37063A5A4A01C320A8 |
| SHA-512: | 22DCB50E3BF008494A2DD28A9299650113B28ABF365C8BAB9A4BBC5F582EDC9722AB9BDAD51CD4BC9B82FD1DBFC3E679E33A652BE3DC3C3D8B0986872EC34DD0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11943 |
| Entropy (8bit): | 5.1664273494538255 |
| Encrypted: | false |
| SSDEEP: | 192:ZIbkINBjVgHobKxCtlSPLdFy1Q5EAVe58+pWbFI/BkZxqGyiy+ruVue+8mGroQh:aAI2aQCnIzYQ5P8q+pghy+47mhq |
| MD5: | F54F9A9722A00681590A763B976A045A |
| SHA1: | CA7DD2B9E413D7A78C6CC07DF941C045DBFF9D8B |
| SHA-256: | 3ED01CAABFFA5C8D4118788F2C639DAA0ABEFB7728B6BF37063A5A4A01C320A8 |
| SHA-512: | 22DCB50E3BF008494A2DD28A9299650113B28ABF365C8BAB9A4BBC5F582EDC9722AB9BDAD51CD4BC9B82FD1DBFC3E679E33A652BE3DC3C3D8B0986872EC34DD0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94208 |
| Entropy (8bit): | 5.0823714255603685 |
| Encrypted: | false |
| SSDEEP: | 768:AaAwuXc/mex/SGKAGWRqA60dTcR4qYnGC:AaAwusPdKaj6iTcy |
| MD5: | E6C98CE396B7EFF6A19D39917C53632B |
| SHA1: | C7FF69492A4712D052E0DD61AB757CB1CCB40059 |
| SHA-256: | 62EA9CEBC81C5E3F4C93892379A2533826BBB0EBDB8187E3399C291A5FDC0EF6 |
| SHA-512: | 2D388678F2740DE402120562535691AA92D79549B2E7068405F113612E920B2354ACDACDD6A808666F5FB272DE95766BA63F2B6B0029505838CD3A3A5F48BA2B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2663 |
| Entropy (8bit): | 5.405388569148364 |
| Encrypted: | false |
| SSDEEP: | 48:0k9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MY:/SEA5O5W+MfH5S1CqlVJcI6Y |
| MD5: | D95F61F9DABE9FF14EFC02A1E25D5143 |
| SHA1: | 06A1F83C29E63D871056BB7876AA5B18F5628471 |
| SHA-256: | 70E237DB397460C195CACC9AF78A6DA4C92114ABDFD3989EB75D74BD9E556318 |
| SHA-512: | 19EC3B84E04E0E301ED6BEB9F5FE6C655E4ED2F7B1321927410417A5EB49B1E6DBA825713231914219AD95898DADC43FBC8B947878CF7DD40C123AAAF103DF04 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 96256 |
| Entropy (8bit): | 6.289810555899088 |
| Encrypted: | false |
| SSDEEP: | 1536:RAD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdZPp7HE+tA:Rg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/L+ |
| MD5: | F924F94313C3D0855284E553BA47E68B |
| SHA1: | 74FFEA37A07D797DA6E7B37F8526AE6239A053B1 |
| SHA-256: | 3CC7CD5A374733CC63CB7778922000E6715556619F6A959D2F9989188512D8AB |
| SHA-512: | B32DBA869EC38FCDCDA175DECA013275DED001936086D0598AC697A7268DFA6AC337B3FE50ED6F224AC1DD7384290509C66D714A121FFFA0054CA74898F121D1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 53248 |
| Entropy (8bit): | 7.996663099057879 |
| Encrypted: | true |
| SSDEEP: | 768:kVOHnWy0VXPZNgB5j0SGr59q2RE9yeQc6X/8xiPDYyLw5CnPUu4LYK3E1kmDV7FF:xHWyMP/gn0WUE4vwVp5CMoSmDVUTSgs |
| MD5: | 8A0DFEA5F88D6673F4FBEB83655612AF |
| SHA1: | 0C8D3D567E9BFDB32A4550E01D700CE3B9B92C06 |
| SHA-256: | 91FE2EC9ED991452F388FFAFE877F105ED4E535FDCB85B0BB86EBD764AA1E960 |
| SHA-512: | 0D0469FA154920810F8601370E60742A2F2DC07087C2264509E5A1C80EE4367AB0772F9515A070BA8B0049D7D044AAB557032D0DA2552E51BF66A9CF1ACD0F47 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 66560 |
| Entropy (8bit): | 6.652094163010141 |
| Encrypted: | false |
| SSDEEP: | 1536:ioJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9Prpmp:iowS2u5hVOoQ7t8T6pUkBJR8CThpmp |
| MD5: | 92091BA39B3650B848804C9E7A33328E |
| SHA1: | E9ED799BA78836FC170FB5C3DCA53152B3A9E0F4 |
| SHA-256: | 4943E6AC3E9AB4C10A46A1CD4D3111890EA7ACA437F7EABAFD49797592E40548 |
| SHA-512: | CB0F13FEFE6284ECEEEC2960C40DE762B2808E96B7E08CE86C7210A45B59B6B590AE8D69D88D0128E24BE1FBC6A724EAB08C42FCC4CA3EC8BB5D8D8D3BC4DB5A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55296 |
| Entropy (8bit): | 6.636736650097497 |
| Encrypted: | false |
| SSDEEP: | 768:Xye4Ur2+9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatC:Co2+9BGmdATGODv7xvTphAiPChgZ2J |
| MD5: | 89AE9CFD20E98FF5B58ADC07AD0BAA2B |
| SHA1: | A0F58D8A783CC1B621DBE67C93ABEB9AB632BBAA |
| SHA-256: | ECDFBE6666A7A22C0A4F41B4360ED9759ACC82012E12E55E7558E22287E89C3C |
| SHA-512: | 2FAC9E814D26990989EC2418DDB8B01F6CCEB37BF3412AD72E59AE7AC07AFF39B4F968FC455A06B4AC2498EFB7980BE806B233E42E510FC567C1D49FEB9BD863 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\random.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 66560 |
| Entropy (8bit): | 7.997220929099702 |
| Encrypted: | true |
| SSDEEP: | 1536:c1VuetgL5ZMLz3aQoWtuYzN+oKUJObeciAsIXEkeA5:c1cJFKLjWVYJ+oybe7kSU |
| MD5: | 192C41A324DB7DDEF0199B6C0A82679C |
| SHA1: | A946F6E2FB342306B10D631A9753CB34E921D7F6 |
| SHA-256: | CA62247302606FAB36CAABCD440DA5D2D5531416EE6B1A4432BAF48379C02A39 |
| SHA-512: | D9B6A5C94C441BE5852351CE85CC7A3C949821B0A943F19F377A8789474C9A67A58A1E6EED4B51A14C3CE8647AF69906B7653DB14E3AF4FB0D222F83224F0D26 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.3864688435513015 |
| TrID: |
|
| File name: | random.exe |
| File size: | 5'254'854 bytes |
| MD5: | 82b0dd4607ce761914ac07d3d585ed55 |
| SHA1: | 4621e732feb0470f3a036cd01dc273624a6e790c |
| SHA256: | 20f96c72f95343c306164d0fdff253d50d85de272a5d3113d9e411aba467eb51 |
| SHA512: | bb3cb777938a0d5b033f13f30564798575873f89be7f3214b5481d37cc4391d7bc7dea2097c90b1492965e4f6f3d42ea75701b5b4cd816159f9c67517eb67f7d |
| SSDEEP: | 24576:QreSyKJOobxH5hrx+EHSYm6LFI8wVPW/P7Pub7jb7j:3Gr9yCq8wcLk |
| TLSH: | 5936F9D96FD9418C4D173B94A089DE03FDF3F8B15138C14A17632B4C2AA66F6B029AD7 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X|.N.................n.......B...8..... |
 | |
| Icon Hash: | f4d6d6d282e6dce2 |
| Entrypoint: | 0x403883 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 8482FFDA9E08210CFED2F900F28A1F2E |
| Thumbprint SHA-1: | B46B17F6C24351D61F1CB1B830FA1546CAAFD411 |
| Thumbprint SHA-256: | CA3BD5C3F6EEF3799D48651CD1372FEB84649358ADE03108B14DB14CD4239A83 |
| Serial: | 7B6D149DF3DF52D8797362ED082FC2A1 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 00409268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00408030h] |
| push 00008001h |
| call dword ptr [004080B4h] |
| push ebp |
| call dword ptr [004082C0h] |
| push 00000008h |
| mov dword ptr [00472EB8h], eax |
| call 00007F316981CE4Bh |
| push ebp |
| push 000002B4h |
| mov dword ptr [00472DD0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 00409264h |
| call dword ptr [00408184h] |
| push 0040924Ch |
| push 0046ADC0h |
| call 00007F316981CB2Dh |
| call dword ptr [004080B0h] |
| push eax |
| mov edi, 004C30A0h |
| push edi |
| call 00007F316981CB1Bh |
| push ebp |
| call dword ptr [00408134h] |
| cmp word ptr [004C30A0h], 0022h |
| mov dword ptr [00472DD8h], eax |
| mov eax, edi |
| jne 00007F316981A41Ah |
| push 00000022h |
| pop esi |
| mov eax, 004C30A2h |
| push esi |
| push eax |
| call 00007F316981C7F1h |
| push eax |
| call dword ptr [00408260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007F316981A4A3h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007F316981A41Ah |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9b34 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf4000 | 0xca0e | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4fffee | 0x2ed8 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7a000 | 0x964 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6dae | 0x6e00 | 00499a6f70259150109c809d6aa0e6ed | False | 0.6611150568181818 | data | 6.508529563136936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x2a62 | 0x2c00 | 07990aaa54c3bc638bb87a87f3fb13e3 | False | 0.3526278409090909 | data | 4.390535020989255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xb000 | 0x67ebc | 0x200 | 014871d9a00f0e0c8c2a7cd25606c453 | False | 0.203125 | data | 1.4308602597540492 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x73000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf4000 | 0xca0e | 0xcc00 | 01b0f68b0974d527075a1549b11ac983 | False | 0.8801317401960784 | data | 7.557206868507775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x101000 | 0xf32 | 0x1000 | 6fd8f5d5dbecdd998de88c2444fbe0a4 | False | 0.599365234375 | data | 5.508734152214352 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf4220 | 0x6453 | PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced | English | United States | 1.000622980181443 |
| RT_ICON | 0xfa674 | 0x2676 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0011172049563275 |
| RT_ICON | 0xfccec | 0x2668 | Device independent bitmap graphic, 48 x 96 x 32, image size 9792 | English | United States | 0.6311025223759154 |
| RT_ICON | 0xff354 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.7010473588342441 |
| RT_DIALOG | 0x10047c | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x10057c | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x100698 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x1006f8 | 0x3e | data | English | United States | 0.8225806451612904 |
| RT_MANIFEST | 0x100738 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T13:37:39.324161+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:39.799330+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:39.799330+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:40.275660+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:40.732691+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:40.732691+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:41.388055+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49858 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:41.971565+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49858 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:42.464974+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49864 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:43.522237+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49875 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:53.237851+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49937 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:54.519053+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49944 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:56.538342+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49959 | 104.21.79.9 | 443 | TCP |
| 2025-01-10T13:37:57.015445+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49959 | 104.21.79.9 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 13:37:38.834033012 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:38.834058046 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:38.834208965 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:38.835684061 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:38.835696936 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.324049950 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.324161053 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.325685024 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.325692892 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.326062918 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.376415014 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.376439095 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.376606941 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.799357891 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.799500942 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.799566984 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.800873041 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.800887108 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.800901890 CET | 49841 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.800906897 CET | 443 | 49841 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.807225943 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.807250977 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:39.807331085 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.807693958 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:39.807703018 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.275369883 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.275660038 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.277194977 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.277199030 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.277441978 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.278738976 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.278738976 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.278808117 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.732753992 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.732897043 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733011961 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733082056 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.733094931 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733201981 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733289003 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733304024 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.733313084 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733354092 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.733447075 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733584881 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733635902 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.733642101 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.733952999 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.737318993 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.783768892 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.783781052 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.819262981 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.819339037 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.819349051 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.819453001 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.819677114 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.819828987 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.819828987 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.819873095 CET | 49849 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.819880009 CET | 443 | 49849 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.898730993 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.898751974 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:40.898860931 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.899296999 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:40.899311066 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.387965918 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.388055086 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.389313936 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.389318943 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.389554977 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.390733004 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.390805960 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.390877008 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.971590042 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.971687078 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.971795082 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.972244978 CET | 49858 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.972259045 CET | 443 | 49858 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.985400915 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.985488892 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:41.985685110 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.985937119 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:41.985975981 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.464706898 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.464973927 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.466865063 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.466876984 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.467102051 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.469206095 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.469424009 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.469465017 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.469527006 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.511320114 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.998935938 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.999049902 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:42.999211073 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.999531984 CET | 49864 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:42.999552011 CET | 443 | 49864 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.056401968 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.056443930 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.056545019 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.057089090 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.057126045 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.522145987 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.522237062 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.524311066 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.524324894 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.524585009 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.526415110 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.526684999 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.526730061 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:43.526904106 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:43.526920080 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:52.635782003 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:52.635886908 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:52.635986090 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:52.636234999 CET | 49875 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:52.636271954 CET | 443 | 49875 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:52.751758099 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:52.751790047 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:52.753439903 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:52.761847973 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:52.761862040 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.237771988 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.237850904 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.259747028 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.259759903 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.260067940 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.262022018 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.262166023 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.262172937 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.701119900 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.701209068 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:53.701266050 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.701586962 CET | 49937 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:53.701605082 CET | 443 | 49937 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.045878887 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.045911074 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.046001911 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.046475887 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.046488047 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.518964052 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.519052982 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.521467924 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.521473885 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.521708012 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.524313927 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.525213957 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.525249004 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.525559902 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.525598049 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.525732994 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.525778055 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.525922060 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.525958061 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.526088953 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526118994 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.526295900 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526324987 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.526339054 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526354074 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.526489019 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526510000 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.526531935 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526673079 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.526705980 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.535427094 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.535589933 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.535613060 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:54.535640955 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.535680056 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.535799980 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:54.538873911 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.074013948 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.074126959 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.074249029 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.074368954 CET | 49944 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.074383974 CET | 443 | 49944 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.076159954 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.076195955 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.076427937 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.076766014 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.076776981 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.538259029 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.538341999 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.539603949 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.539617062 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.539943933 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:56.541167974 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.541192055 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:56.541243076 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:57.015516996 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:57.015642881 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:57.015708923 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:57.015974045 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:57.015988111 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Jan 10, 2025 13:37:57.016012907 CET | 49959 | 443 | 192.168.2.5 | 104.21.79.9 |
| Jan 10, 2025 13:37:57.016019106 CET | 443 | 49959 | 104.21.79.9 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 13:37:19.748893023 CET | 52775 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 13:37:19.757028103 CET | 53 | 52775 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 13:37:38.791168928 CET | 60043 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 13:37:38.803114891 CET | 53 | 60043 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 13:37:19.748893023 CET | 192.168.2.5 | 1.1.1.1 | 0xedc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 13:37:38.791168928 CET | 192.168.2.5 | 1.1.1.1 | 0x46aa | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 13:37:09.851999044 CET | 1.1.1.1 | 192.168.2.5 | 0xcd70 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 13:37:09.851999044 CET | 1.1.1.1 | 192.168.2.5 | 0xcd70 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 13:37:19.757028103 CET | 1.1.1.1 | 192.168.2.5 | 0xedc | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 13:37:38.803114891 CET | 1.1.1.1 | 192.168.2.5 | 0x46aa | No error (0) | 104.21.79.9 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 13:37:38.803114891 CET | 1.1.1.1 | 192.168.2.5 | 0x46aa | No error (0) | 172.67.139.144 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49841 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:39 UTC | 265 | OUT | |
| 2025-01-10 12:37:39 UTC | 8 | OUT | |
| 2025-01-10 12:37:39 UTC | 1131 | IN | |
| 2025-01-10 12:37:39 UTC | 7 | IN | |
| 2025-01-10 12:37:39 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49849 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:40 UTC | 266 | OUT | |
| 2025-01-10 12:37:40 UTC | 42 | OUT | |
| 2025-01-10 12:37:40 UTC | 1139 | IN | |
| 2025-01-10 12:37:40 UTC | 230 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN | |
| 2025-01-10 12:37:40 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49858 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:41 UTC | 276 | OUT | |
| 2025-01-10 12:37:41 UTC | 12782 | OUT | |
| 2025-01-10 12:37:41 UTC | 1134 | IN | |
| 2025-01-10 12:37:41 UTC | 20 | IN | |
| 2025-01-10 12:37:41 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49864 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:42 UTC | 278 | OUT | |
| 2025-01-10 12:37:42 UTC | 15036 | OUT | |
| 2025-01-10 12:37:42 UTC | 1131 | IN | |
| 2025-01-10 12:37:42 UTC | 20 | IN | |
| 2025-01-10 12:37:42 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49875 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:43 UTC | 278 | OUT | |
| 2025-01-10 12:37:43 UTC | 15331 | OUT | |
| 2025-01-10 12:37:43 UTC | 5195 | OUT | |
| 2025-01-10 12:37:52 UTC | 1136 | IN | |
| 2025-01-10 12:37:52 UTC | 20 | IN | |
| 2025-01-10 12:37:52 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49937 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:53 UTC | 283 | OUT | |
| 2025-01-10 12:37:53 UTC | 1270 | OUT | |
| 2025-01-10 12:37:53 UTC | 1136 | IN | |
| 2025-01-10 12:37:53 UTC | 20 | IN | |
| 2025-01-10 12:37:53 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49944 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:54 UTC | 285 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:54 UTC | 15331 | OUT | |
| 2025-01-10 12:37:56 UTC | 1139 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49959 | 104.21.79.9 | 443 | 7816 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 12:37:56 UTC | 266 | OUT | |
| 2025-01-10 12:37:56 UTC | 77 | OUT | |
| 2025-01-10 12:37:57 UTC | 1131 | IN | |
| 2025-01-10 12:37:57 UTC | 54 | IN | |
| 2025-01-10 12:37:57 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 07:37:13 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\random.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 5'254'854 bytes |
| MD5 hash: | 82B0DD4607CE761914AC07D3D585ED55 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 07:37:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 07:37:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 07:37:16 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x410000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 07:37:16 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 07:37:16 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x410000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 07:37:16 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 07:37:17 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 07:37:17 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\extrac32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 29'184 bytes |
| MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 07:37:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 07:37:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 07:37:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 07:37:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\65452\Thu.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x490000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 07:37:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x180000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 18.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.7% |
| Total number of Nodes: | 1525 |
| Total number of Limit Nodes: | 33 |
Graph
Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|