Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1596738
MD5:d72d18d95f5fef9487e66d67e01eab9d
SHA1:f3f3f03b584586a9c3ae9cca68604792026d20ef
SHA256:cb68cc8427e2cd42153c53aadab9f7ff8cd1550be2fef1e96f9e7f7cecc0baa5
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

LummaC Stealer, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\random.exe" MD5: D72D18D95F5FEF9487E66D67E01EAB9D)
    • random.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\random.exe" MD5: D72D18D95F5FEF9487E66D67E01EAB9D)
    • random.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\random.exe" MD5: D72D18D95F5FEF9487E66D67E01EAB9D)
    • WerFault.exe (PID: 6532 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://impolitewearr.biz/api", "Build Version": "pqZnKP--S2FsYXNoMW"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
random.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2027197577.0000000000262000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.2268346574.0000000003549000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Process Memory Space: random.exe PID: 6756JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.random.exe.260000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.random.exe.3549550.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.random.exe.3549550.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:49:56.022547+010020283713Unknown Traffic192.168.2.549704104.21.16.1443TCP
                    2025-01-22T12:49:57.146277+010020283713Unknown Traffic192.168.2.549705104.21.16.1443TCP
                    2025-01-22T12:49:58.712751+010020283713Unknown Traffic192.168.2.549707104.21.16.1443TCP
                    2025-01-22T12:49:59.984318+010020283713Unknown Traffic192.168.2.549709104.21.16.1443TCP
                    2025-01-22T12:50:01.326591+010020283713Unknown Traffic192.168.2.549714104.21.16.1443TCP
                    2025-01-22T12:50:02.975886+010020283713Unknown Traffic192.168.2.549715104.21.16.1443TCP
                    2025-01-22T12:50:04.966013+010020283713Unknown Traffic192.168.2.549716104.21.16.1443TCP
                    2025-01-22T12:50:07.171576+010020283713Unknown Traffic192.168.2.549717104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:49:56.656605+010020546531A Network Trojan was detected192.168.2.549704104.21.16.1443TCP
                    2025-01-22T12:49:58.050431+010020546531A Network Trojan was detected192.168.2.549705104.21.16.1443TCP
                    2025-01-22T12:50:07.651828+010020546531A Network Trojan was detected192.168.2.549717104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:49:56.656605+010020498361A Network Trojan was detected192.168.2.549704104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:49:58.050431+010020498121A Network Trojan was detected192.168.2.549705104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:49:55.516692+010020592251Domain Observed Used for C2 Detected192.168.2.5637051.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T12:50:03.426768+010020480941Malware Command and Control Activity Detected192.168.2.549715104.21.16.1443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://impolitewearr.biz/Avira URL Cloud: Label: malware
                    Source: https://impolitewearr.biz:443/apiMicrosoftAvira URL Cloud: Label: malware
                    Source: https://impolitewearr.biz/apiAvira URL Cloud: Label: malware
                    Source: https://impolitewearr.biz/eAvira URL Cloud: Label: malware
                    Source: https://impolitewearr.biz:443/apitPKAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: random.exe.6756.2.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://impolitewearr.biz/api", "Build Version": "pqZnKP--S2FsYXNoMW"}
                    Multi AV Scanner detection for submitted file
                    Source: random.exeVirustotal: Detection: 48%Perma Link
                    Source: random.exeReversingLabs: Detection: 47%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
                    Machine Learning detection for sample
                    Source: random.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00415E38 CryptUnprotectData,2_2_00415E38
                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: random.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Windows.Forms.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: Abacost.pdb source: random.exe, WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERF021.tmp.dmp.6.dr
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 07CFF38Ch2_2_00446180
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edi+ebx*8], CD5A394Bh2_2_00445AD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx]2_2_00445AD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CD5A394Bh2_2_00445AD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, eax2_2_00431C8F
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 0BF86EC6h2_2_0040E559
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-63h]2_2_0042A730
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C8B478E8h2_2_0042A730
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, eax2_2_0042A730
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h2_2_00444FD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh2_2_00443791
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, dword ptr [ebp+3Ch]2_2_00444810
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444810
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, dword ptr [ebp-18h]2_2_0040983A
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, ecx2_2_0041C8E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0041C8E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov esi, ecx2_2_0041C8E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0041D0FE
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0041D0FE
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx eax, byte ptr [eax+edx]2_2_0042C8A0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004190A6
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]2_2_0043F8B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0043F8B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, dword ptr [ebp+3Ch]2_2_004448B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_004448B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C6BF57D2h2_2_00441140
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, eax2_2_00441140
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041D950
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh2_2_0040E157
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]2_2_0043F12E
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]2_2_0043F12E
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0043F12E
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+6925FFC5h]2_2_0040C1BA
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_00408A40
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_0043AA40
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp eax2_2_00442A77
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00430A2B
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp eax2_2_00442AC7
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp byte ptr [edx+edi+23h], 00000000h2_2_00409AC7
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, eax2_2_0041C290
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4EA63BC3h]2_2_0040C2B9
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0042E360
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then lea ecx, dword ptr [esp+00000098h]2_2_0041732B
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+02h]2_2_0041F3C0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, ecx2_2_0042ABC0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then push eax2_2_00442BCF
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+2Fh]2_2_0042ABE0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh2_2_00445440
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, eax2_2_00445440
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]2_2_00420C70
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov eax, dword ptr [004499C4h]2_2_0040C47F
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+7CD13928h]2_2_00442CC8
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, ecx2_2_0042ACE1
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444C80
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+21138DFFh]2_2_0041949D
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+482B3730h]2_2_00408CB0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, edx2_2_00444550
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, dword ptr [ebp+3Ch]2_2_00444550
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444550
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-00000092h]2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 4802CC78h2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edx, ecx2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edx, ecx2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 215672F7h2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+21138D9Fh]2_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, eax2_2_0041CDDC
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax-2E766E11h]2_2_00409DE7
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ecx, edx2_2_0040A5F0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp word ptr [edi+esi+02h], 0000h2_2_004225B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, edx2_2_00444640
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, dword ptr [ebp+3Ch]2_2_00444640
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444640
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 2C1F0655h2_2_00441670
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov ebx, edx2_2_00441670
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-07A97D4Ah]2_2_00428E31
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov edi, dword ptr [ebp+3Ch]2_2_00444760
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444760
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], A0C7EB40h2_2_0040E72D
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_00406FD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_00406FD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004237D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004237D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then lea ecx, dword ptr [esp+00000098h]2_2_004177EA
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000138h]2_2_004177EA
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]2_2_004177EA

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2059225 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond) : 192.168.2.5:63705 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49715 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 104.21.16.1:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://impolitewearr.biz/api
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.16.1:443
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K9WWMM3R4R3D9ITSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12828Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NWYAPCLTULTXU6B8USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U3HC5E39GC8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20530Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9HPE3XT87OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2412Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5QCB5QKI2VUDF0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585844Host: impolitewearr.biz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: impolitewearr.biz
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: immolatechallen.bond
                    Source: global trafficDNS traffic detected: DNS query: impolitewearr.biz
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impolitewearr.biz
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153337035.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153495691.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impolitewearr.biz/
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153337035.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153495691.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153495691.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impolitewearr.biz/api
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impolitewearr.biz/e
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impolitewearr.biz:443/apiMicrosoft
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impolitewearr.biz:443/apitPK
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004383B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_004383B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004383B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_004383B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004450E02_2_004450E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004321332_2_00432133
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00445AD02_2_00445AD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0040E2E62_2_0040E2E6
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004082802_2_00408280
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043DC502_2_0043DC50
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00410E7D2_2_00410E7D
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00415E382_2_00415E38
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00422EE02_2_00422EE0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00440EF02_2_00440EF0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042A7302_2_0042A730
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004010402_2_00401040
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042F8502_2_0042F850
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043505D2_2_0043505D
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043E8602_2_0043E860
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004168082_2_00416808
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004448102_2_00444810
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004048202_2_00404820
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043C0C82_2_0043C0C8
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041C8E02_2_0041C8E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041E0FE2_2_0041E0FE
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043D0902_2_0043D090
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042C8A02_2_0042C8A0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004448B02_2_004448B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041D9502_2_0041D950
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004091702_2_00409170
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043F12E2_2_0043F12E
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041F1302_2_0041F130
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004059C02_2_004059C0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004299E02_2_004299E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004061F02_2_004061F0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004272502_2_00427250
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004252642_2_00425264
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041227A2_2_0041227A
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00430A2B2_2_00430A2B
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004312C22_2_004312C2
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043D2F02_2_0043D2F0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00411A802_2_00411A80
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041C2902_2_0041C290
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042DAA72_2_0042DAA7
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004162B32_2_004162B3
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004363002_2_00436300
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041732B2_2_0041732B
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00402B302_2_00402B30
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00414B302_2_00414B30
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004413302_2_00441330
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041EB392_2_0041EB39
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042ABC02_2_0042ABC0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00432BE02_2_00432BE0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041E0FE2_2_0041E0FE
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004454402_2_00445440
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0040BC522_2_0040BC52
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00416C082_2_00416C08
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00439C212_2_00439C21
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00434C3A2_2_00434C3A
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004274E02_2_004274E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042ACE12_2_0042ACE1
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004184E62_2_004184E6
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004424EE2_2_004424EE
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041949D2_2_0041949D
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00418CA02_2_00418CA0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00423CA02_2_00423CA0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00408CB02_2_00408CB0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043ECB02_2_0043ECB0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004035402_2_00403540
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004305412_2_00430541
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004445502_2_00444550
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00407D602_2_00407D60
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00405D602_2_00405D60
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004055002_2_00405500
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004345C12_2_004345C1
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041A5D02_2_0041A5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043E5D02_2_0043E5D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0040A5F02_2_0040A5F0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00429D902_2_00429D90
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004365A02_2_004365A0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004225B02_2_004225B0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042BDBB2_2_0042BDBB
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004446402_2_00444640
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042B6522_2_0042B652
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041D6552_2_0041D655
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042D6602_2_0042D660
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004276612_2_00427661
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0040F66C2_2_0040F66C
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004416702_2_00441670
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004126302_2_00412630
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00428E312_2_00428E31
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00420EE02_2_00420EE0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00403EF02_2_00403EF0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004156902_2_00415690
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043EE902_2_0043EE90
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00426F492_2_00426F49
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0040C7602_2_0040C760
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004447602_2_00444760
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004027702_2_00402770
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041F7002_2_0041F700
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004457102_2_00445710
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043B7192_2_0043B719
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00443F352_2_00443F35
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00406FD02_2_00406FD0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004237D02_2_004237D0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0041E7E02_2_0041E7E0
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_004177EA2_2_004177EA
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0042C7F72_2_0042C7F7
                    Source: C:\Users\user\Desktop\random.exeCode function: String function: 00414B20 appears 94 times
                    Source: C:\Users\user\Desktop\random.exeCode function: String function: 00407B60 appears 50 times
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 920
                    Source: random.exeStatic PE information: invalid certificate
                    Source: random.exe, 00000000.00000002.2266234032.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs random.exe
                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: random.exeStatic PE information: Section: .bsS ZLIB complexity 1.0003350801777435
                    Source: random.exe, G3EBK1rdW8n7xuLhGg.csCryptographic APIs: 'CreateDecryptor'
                    Source: random.exe, G3EBK1rdW8n7xuLhGg.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.random.exe.3549550.0.raw.unpack, G3EBK1rdW8n7xuLhGg.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.random.exe.3549550.0.raw.unpack, G3EBK1rdW8n7xuLhGg.csCryptographic APIs: 'CreateDecryptor'
                    Source: random.exe, Program.csBase64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
                    Source: 0.2.random.exe.3549550.0.raw.unpack, Program.csBase64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/1
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0043DC50 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_0043DC50
                    Source: C:\Users\user\Desktop\random.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6524
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\07e5ef70-4390-4990-b3fb-9fb2abfa0935Jump to behavior
                    Source: random.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: random.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: random.exeVirustotal: Detection: 48%
                    Source: random.exeReversingLabs: Detection: 47%
                    Source: C:\Users\user\Desktop\random.exeFile read: C:\Users\user\Desktop\random.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 920
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: random.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Windows.Forms.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: Abacost.pdb source: random.exe, WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERF021.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERF021.tmp.dmp.6.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: random.exe, G3EBK1rdW8n7xuLhGg.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),ClGAa1LAa5jeh1symTo(typeof(Type).TypeHandle)})
                    Source: 0.2.random.exe.3549550.0.raw.unpack, G3EBK1rdW8n7xuLhGg.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),ClGAa1LAa5jeh1symTo(typeof(Type).TypeHandle)})
                    Source: random.exeStatic PE information: 0x84DB26BC [Sun Aug 19 02:06:52 2040 UTC]
                    Source: random.exeStatic PE information: real checksum: 0x671bc should be: 0x71d0f
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0044A8CE push ebp; iretd 2_2_0044A8D2
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00444500 push eax; mov dword ptr [esp], FCFFFED1h2_2_00444501
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_0044B660 push cs; retf 2_2_0044B661
                    Source: random.exe, zIpx4jg4rK8h8VLKg8p.csHigh entropy of concatenated method names: 'qr0gBkBYOl', 's3mgtIyxM5', 'A77g90gj4d', 'osVgpliDCf', 'q1sgkRD4Ek', 'JOWgFWSpSj', 'NScg2CrOq1', 'mg1gbiWgdl', 'u3bgopPfsW', 'IQQgq5NBjI'
                    Source: random.exe, G3EBK1rdW8n7xuLhGg.csHigh entropy of concatenated method names: 'Jx9y5ByhvYSEmJFh5aM', 'tlpEKnyQHffSFMxLGQm', 'JFQsUkcwgw', 'sdQX61y4nO5wlCxMCEs', 'elTxMyyDhS9RbVVfIE7', 'Kh8mdmyKf69ZWs1o1Wh', 'vQvBUgycd7qTRPnDKc2', 'nW4lBacjpc', 'q0Ggwr9pio', 'r6Ygsbq6N1'
                    Source: 0.2.random.exe.3549550.0.raw.unpack, zIpx4jg4rK8h8VLKg8p.csHigh entropy of concatenated method names: 'qr0gBkBYOl', 's3mgtIyxM5', 'A77g90gj4d', 'osVgpliDCf', 'q1sgkRD4Ek', 'JOWgFWSpSj', 'NScg2CrOq1', 'mg1gbiWgdl', 'u3bgopPfsW', 'IQQgq5NBjI'
                    Source: 0.2.random.exe.3549550.0.raw.unpack, G3EBK1rdW8n7xuLhGg.csHigh entropy of concatenated method names: 'Jx9y5ByhvYSEmJFh5aM', 'tlpEKnyQHffSFMxLGQm', 'JFQsUkcwgw', 'sdQX61y4nO5wlCxMCEs', 'elTxMyyDhS9RbVVfIE7', 'Kh8mdmyKf69ZWs1o1Wh', 'vQvBUgycd7qTRPnDKc2', 'nW4lBacjpc', 'q0Ggwr9pio', 'r6Ygsbq6N1'
                    Source: C:\Users\user\Desktop\random.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\random.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\random.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 23B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 4540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5968Thread sleep time: -150000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: Amcache.hve.6.drBinary or memory string: VMware
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: random.exe, 00000002.00000002.2153337035.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000002.00000002.2153337035.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\random.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\random.exeCode function: 2_2_00442B70 LdrInitializeThunk,2_2_00442B70
                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_02545411 mov edi, dword ptr fs:[00000030h]0_2_02545411
                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0254558E mov edi, dword ptr fs:[00000030h]0_2_0254558E
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_02545411 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02545411
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\random.exeMemory written: C:\Users\user\Desktop\random.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Users\user\Desktop\random.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: random.exe, 00000002.00000002.2153495691.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: random.exe PID: 6756, type: MEMORYSTR
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: random.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.random.exe.260000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.random.exe.3549550.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.random.exe.3549550.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2027197577.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2268346574.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: random.exe, 00000002.00000002.2153337035.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                    Source: random.exe, 00000002.00000002.2153337035.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                    Source: random.exe, 00000002.00000002.2153337035.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                    Source: random.exe, 00000002.00000002.2153337035.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                    Source: random.exe, 00000000.00000002.2268346574.0000000003549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                    Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: random.exe PID: 6756, type: MEMORYSTR
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: random.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.random.exe.260000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.random.exe.3549550.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.random.exe.3549550.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2027197577.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2268346574.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		23
                    Virtualization/Sandbox Evasion                    		2
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services11
                    Archive Collected Data                    		21
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory231
                    Security Software Discovery                    		Remote Desktop Protocol41
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		Security Account Manager23
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Clipboard Data                    		113
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Software Packing                    		Cached Domain Credentials22
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.