Edit tour

Windows Analysis Report
project.exe

Overview

General Information

Sample name:	project.exe
Analysis ID:	1462735
MD5:	2b9cef8cf6801b96fd404a6436da80ed
SHA1:	1ce86e613c56d643db8a4909da275fea526bda35
SHA256:	b87aa54a7352136564ac19a66a89529d95aaf7bbd2474f035e4fd83d65ae579c
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Powershell download and execute

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

project.exe (PID: 4940 cmdline: "C:\Users\user\Desktop\project.exe" MD5: 2B9CEF8CF6801B96FD404A6436DA80ED)

conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3892 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

tasklist.exe (PID: 2720 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: project.exe PID: 4940	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Joe Sandbox Signatures

• Cryptography
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: Failed to remove test fileMinimum size of file namesMaximum size of file namesFill files with ASCII 0x00Failed to open file %q: %vcouldn't find directory %qYCbCrSubsampleRatioUnknownbase 128 integer too largetruncated base 128 integerasn1: invalid UTF-8 stringnon sequence tagged as setchacha20: wrong nonce sizechacha20: counter overflowargument must be a pointer2006-01-02 15:04:05.999999sources cannot contain nildidn't find any PEM blocksunexpected options type %TWorkloadIdentityCredentialResponse contained no bodyUsernamePasswordCredentialAzureConnectedMachineAgentIDENTITY_SERVER_THUMBPRINTDEFAULT_IDENTITY_CLIENT_IDAZURE_FEDERATED_TOKEN_FILEmultipart/mixed; boundary=token signature is invalidtoken has invalid audienceno AccessToken in ResponseStarting auth server on %sRedirecting browser to: %sList all the option blocksGet all the global optionsRuns a garbage collection.put: zero-length inode keyread: zero-length node keyapplication/x-ms-installerapplication/vnd.ms-outlookapplication/x-unix-archiveapplication/vnd.adobe.xfdfinvalid value; expected %sexpected integer; found %sexpected complex; found %stoo many slice indexes: %dnon-comparable type %s: %vinstance/service-accounts/files/{fileId}/permissionsUse API `DeleteV2` insteadUse API `SearchV2` insteadupload_session/start_batchlist_file_members/continuerelinquish_file_membershipremove_folder_member_errorlegal_holds/release_policymembers/add/job_status/getmembers/send_welcome_emailproperties/template/updatepredefinedDefaultObjectAclifSourceGenerationNotMatchgob: local interface type one or more keys not founderror sending to a KDC: %serror reading response: %vdefault_client_keytab_name-//ietf//dtd html strict//https://api.imagekit.io/v2overwriteIgnoreNonexistingError parsing response: %vCircular linkage attemptedprelogin: no salt returnedTimeout waiting for eventsSignalling events receivedupload chunk is wrong size"2006-01-02T15:04:05.999Z"OCI_GO_SDK_LOG_OUTPUT_MODEGetPreauthenticatedRequest-----BEGIN PUBLIC KEY-----/identity/intermediate.pemAWS_STS_REGIONAL_ENDPOINTSAWS_SDK_GO_CLIENT_TLS_CERTAWS_USE_DUALSTACK_ENDPOINTendpoint_discovery_enabledCredentialRequiresARNErrortoken file path is not setfailed to refresh auth: %wnot able to unlock any keyfailed to delete child: %whttps://mail.proton.me/api/core/v4/domains/available<ID: %v Name: %q Size: %v>DELETE Bucket NotificationDeleteMultipleObjectsInputGET Bucket External MirrorPUT Bucket External MirrorPutBucketNotificationInputAccessControlRequestMethodcore.ValidateReqSigHandlerrequest expired, resigningno EC2 instance role foundinstance-identity/documentfailed to get EC2 IAM infoenableTokenProviderHandlerpartition: %q, service: %qcould not resolve endpointappmesh.af-south-1.api.awsappmesh.ap-south-1.api.awsappmesh.eu-north-1.api.awsappmesh.eu-south-1.api.awsappmesh.me-south-1.api.awsbedrock-runtime-ap-south-1ce.us-east-1.amazonaws.comdatazone.ap-east-1.api.awsdatazone.ca-west-1.api.awsdatazone.eu-west-1.api.awsdatazone.eu-west-2.api.awsdatazone.e

memstr_94aecf0b-a

Source: project.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:10000/devstoreaccount1failed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:53682/https://api.box.com/2.0couldn
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:8080/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:9980/renter/uploadstream/Memset
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/tokenChunkedReader.openRange
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/metadata/instance/compute/location?format=text&api-version=2021-10-01Total
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/opc/v1
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/opc/v2/instance/regionInfoHTTP
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254malformed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.170.2InvalidIdentityTokenGetSessionTokenInputPolicyDescriptorTypeexpected
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearerbug:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/IssueREQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DON
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcould
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdbug:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://earth.google.com/kml/2.0
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://earth.google.com/kml/2.2
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://github.com/rclone/rclone-webui-react).
Source: project.exe, 00000000.00000000.1508386354.0000000003B8B000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nextcloud.org/ns
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp, project.exe, 00000000.00000000.1508386354.0000000003B8B000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://owncloud.org/ns
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://owncloud.org/nsno
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/:Clienturn:schemas-upnp-org:service:ConnectionManager:1Retr
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policybug:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuejson
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKeyfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sia.daemon.host:9980.
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdxml:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s%s/_layouts/15/download.aspx?share=%sDisplay
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s.%s/%s/v2.0/.well-known/openid-configuration(-?
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s.%sno
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s/%s/%s/_layouts/15/download.aspx?share=%s/var/run/secrets/kubernetes.io/serviceaccount/tok
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s/adfs/.well-known/openid-configurationunable
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s/api/1.0/Ceph
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%v/common/userrealm/login-us.microsoftonline.cominconsistent
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://1drv.ms/t/s
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://1fichier.com/dir/couldn
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://XXX.sharefile.com
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://XXX.sharepoint.com/sites/mysite
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://XXX.sharepoint.com/teams/ID
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://accounts.google.com/.well-known/openid-configurationTime
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://accounts.zoho.eu/oauth/v2/tokenhttps://accounts.zoho.%s/oauth/v2/tokencan
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://accounts.zoho.euhttps://accounts.zoho.%sapplication/vnd.api
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/azsdk/go/identity/troubleshoot#%sservice
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/azsdk/go/identity/troubleshoot#dac
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api-drive.mypikpak.comchunk
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.1fichier.com/v1cannot
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.backblazeb2.comfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.github.com/repos/%s/%s/releases/%scould
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.hidrive.strato.com/2.1Whether
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.idrivee2.com/api/service/get_region_end_pointDeleting
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.imagekit.io/v2overwriteIgnoreNonexistingError
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.jottacloud.com/Creating
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.onedrive.com/v1.0/shares/u
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.put.io/v2/oauth2/authenticatehttps://api.put.io/v2/oauth2/access_tokenUS
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.sugarsync.comapplication_credential_idcontainer
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://apis.uloz.tobearer_token_commandnextcloud_chunk_sizecopy
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://app.box.com/api/oauth2/tokenattempting
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://app.koofr.net/app/admin/preferences/password.Can
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://app.koofr.netfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://archive.org/account/s3.phpodata.count
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://archive.orgrclone-update-trackx-archive-size-hintupload_resume_limitchoose_device_queryconfi
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://auth.api.rackspacecloud.com/v1.0failed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://auth.storage.memset.com/v1.0https://auth.storage.memset.com/v2.0
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://authenticate.ain.netcontainer
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://beta.rclone.org%s:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://beta.rclone.org/tabwriter:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://beta.rclone.org/v1.42-005-g56e1e820
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud-api.yandex.com/v1/diskfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud-auth.telia.se/auth/realms/telia_se/protocol/openid-connect/authCan
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud-auth.telia.se/auth/realms/telia_se/protocol/openid-connect/tokenhttps://id.jottacloud.
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud.google.com/storage/docs/bucket-policy-only
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud.mail.rurename
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cloud.seafile.com/mkdir
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://contoso.sharepoint.com/:w:/t/design/a577ghg9hgh737613bmbjf839026561fmzhsr85ng9f3hjck2t5s
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://contoso.sharepoint.com/sites/mysiteautomatically
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dev.yorhel.nl/ncdu)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.box.com/guides/authentication/jwt/as-user/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developers.google.com/drive/api/guides/ref-search-terms).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developers.google.com/drive/api/guides/resource-keys
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developers.google.com/drive/api/reference/rest/v3/Label
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration-examples.html)Get-FileHash
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)If
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.cloud.oracle.com/Content/General/Concepts/identifiers.htm)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.cloud.oracle.com/Content/Object/Tasks/usingyourencryptionkeys.htm).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.cloud.oracle.com/Content/Object/Tasks/usingyourencryptionkeys.htm).Upload
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.cloud.oracle.com/Content/Object/Tasks/usingyourencryptionkeys.htm)Max
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configurat
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm#sdk_authentic
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htmNo
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.ht
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htmDon
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/understandingstoragetiers.htm--sftp-ssh
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_%v__%v_%soauth2/google/e
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Bucket/CreateBuckethttps://docs.oracle.
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Bucket/GetBuckethttps://docs.oracle.com
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Bucket/ListBucketshttps://docs.oracle.c
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/AbortMultipartUploadhtt
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/CommitMultipartUploadht
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/ListMultipartUploadPart
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Namespace/GetNamespaceMetadatahttps://d
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Namespace/GetNamespacehttps://docs.orac
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/CopyObjecthttps://docs.oracle.co
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/ListObjectVersionsdescriptor
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/RestoreObjectscredential
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/DeleteObjectLifec
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/GetObjectLifecycl
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/PreauthenticatedRequest/CreatePreauthen
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/PreauthenticatedRequest/ListPreauthenti
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Replication/CreateReplicationPolicyhttp
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Replication/GetReplicationPolicyhttps:/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Replication/ListReplicationSourcesbatch
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/RetentionRule/CreateRetentionRulehttps:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequest/CancelWorkRequestcollected
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequest/GetWorkRequesthttps://docs.
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequest/ListWorkRequestsexceeded
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequestError/ListWorkRequestErrorsR
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequestLogEntry/ListWorkRequestLogs
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.qingcloud.com/qingstor/api/common/metadata.htmlThe
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.storagemadeeasy.com/organisationcloud/api-tokens
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://downloads.rclone.org/invalid
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://downloads.rclone.org/v1.42
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://downloads.rclone.orgfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://drive.google.com/drive/folders/XXX?resourcekey=YYY&usp=sharing
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://drive.google.com/file/d/0AxBe_CDEF4zkGHI4d0FjYko2QkD/view?usp=drivesdk
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://eu.storagemadeeasy.comfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://forum.rclone.org/).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://forum.rclone.org/t/31922
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://forum.rclone.org/t/sync-not-clearing-duplicates/14372)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://g.api.mega.co.nzGetObjectLifecyclePolicyListMultipartUploadPartsPutObjectLifecyclePolicy----
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://git-annex.branchable.com/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://git-annex.branchable.com/news/version_10.20240430/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/git-annex-remote-rclone/git-annex-remote-rclone
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/go-resty/resty)The
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/golang/go/issues/42728The
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/pkg/xattr/issues/47)).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/blob/master/bin/test_proxy.py)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/2206))
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/3631
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/3857
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/4673
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/7453)).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/7454)).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/issues/7652
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rclone/rclone/labels/serve%20s3)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://go.dev/doc/gc-guide
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://godoc.org/encoding/csv)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://golang.org/pkg/runtime/#MemStats
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gopenpgp.org0001-01-01T00:00:00Zunset
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://iamcredentials.googleapis.com/v1/%s:generateAccessTokengrpc:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagekit.io/dashboard/developer/api-keys)Ignoring
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagekit.io/dashboard/developer/api-keys)Sia
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagekit.io/dashboard/developer/api-keys)https://docs.oracle.com/iaas/api/#/en/objectstorage
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/149522397
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jfs.jottacloud.com/jfs/couldn
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://link.storjshare.iofailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.chinacloudapi.cn/upload/close_file_upload.json/upload/upload_file_chunk.jsontimeout
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://lon.auth.api.rackspacecloud.com/v1.0https://identity.api.rackspacecloud.com/v2.0The
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mail.proton.me/api/core/v4/domains/available
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://management.azure.comx-ms-range-get-content-crc64x-ms-copy-status-descriptionx-ms-access-tier
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://microsoftgraph.chinacloudapi.cnProfile
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mittcloud-auth.tele2.se/auth/realms/comhem/protocol/openid-connect/authhttps://cloud-auth.on
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mittcloud-auth.tele2.se/auth/realms/comhem/protocol/openid-connect/tokenhttps://cloud-auth.o
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://my.hidrive.com/client/authorizeFull
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mysubdomain.mydomain.tld
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://o2.mail.ru/tokenobject
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth.rclone.org/ShareFile.Api.Models.Filecouldn
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth.yandex.com/authorizeasync
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth.yandex.com/tokenfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth2.googleapis.com/tokenoauth2/google:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://photoslibrary.googleapis.com/v1couldn
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pkg.go.dev/runtime/debug#SetMemoryLimit
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pkg.go.dev/time#pkg-constants)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://plex.tv/users/sign_in.jsonerror
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictrevocation
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://proton.me/support/the-difference-between-the-mailbox-password-and-login-password
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://protonmail.ch/mail/v4/messages/ids/core/v4/users/deletehttps://upload.put.io
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://qingstor.com:443
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raw.githubusercontent.com/%s/%s/%s/package.jsonlanguage:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/bisync)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/bisync/#check-accessShow
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/bisync/#limitations)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/bisync/)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/commands/rclone_bisync/)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/docker).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/docs/#metadata-mapper)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/drive/#making-your-own-client-id
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/dropbox/#batch-mode)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/install/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/overview/#optional-features).
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rclone.org/remote_setup/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://restic.net/)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://s3.us.archive.orgUsername
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://secure.sharefile.com/oauth/authorizeAuthentication
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/authcan
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/tokenBearer
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.googleapis.comMelbourne
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.mtls.googleapis.com/storage/v1/invalid
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.rcs-rds.ro/app/admin/preferences/password.size:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.rcs-rds.ro/can
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storagemadeeasy.comfailed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://uloz.to/upload-resumable-api-beta
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://upload.box.com/api/2.0The
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://upload.put.io/files/Failed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://uptobox.com/apiowncloud_exclude_sharesExclude
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://uptobox.com/my_account.fs
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://user.mypikpak.com/v1/auth/tokenupload
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://user.mypikpak.com/v1/user/memove:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.backblaze.com/docs/cloud-storage-integration-checklist).Don
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.backblaze.com/docs/cloud-storage-lifecycle-rules
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platform.read-onlyinvalid
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/devstorage.full_controlcan
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive.apps.readonlyWARNING:
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive.metadata.readonlyLogout
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive.photos.readonlyfiles/
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/photoslibrary.readonlykLJLretPefBgrDHosdml_nlF64HZ9mUcO85X5rdjYBPP8C
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/photoslibraryDone
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v3/filesChange
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jottacloud.com/failed
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jottacloud.com/web/securecan
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.linkbox.to/admin/accountReuse
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.premiumize.me/tokenapplication/offset

Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckPKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(unknown versionrecord overflowbad certificate#multipartfilesAccept-LanguageX-Forwarded-Formissing address/etc/mdns.allowunknown network()<>@,;:\"/[]?=RegCreateKeyExWRegDeleteValueWGetModuleHandleMoveToEx failedPolyline failedclientCompositeSetActiveWindowCreatePopupMenuRegisterClassExExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileNotTrueTypeFontProfileNotFoundGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetMonitorInfoWGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExreflectlite.Setjstmpllitinterptarinsecurepathzipinsecurepath is unavailableinvalid integer0601021504Z0700invalid pointerBelowExactAboveCLSIDFromProgIDStringFromCLSIDGetActiveObjectSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockmax_stream_sizeCopy failed: %w?Authorization=large_file_sha1bucket requiredbad max-age: %wbox_config_file/files/content/stream_positionchunk_no_memorytmp_upload_pathGet cache statsnew object '%s'find: error: %vlist: error: %vcan't PutStreamremoving objectnot found %v-%vcan't mkdir: %wwrapped remoteschunk numberingstub ObjectInfowrong sha1 hashChunked '%s:%s'ram_cache_limitpass_bad_blocksauth_owner_onlyuse_shared_datepacer_min_sleepmetadata_labelsdrive.appfolder'%s' in parents,quotaBytesUsedcopy failed: %wsetModifiedDateteamdrive_finalwritersCanShareapplication/rtf5jcck7diasz0rqyUnknown type %Tmove failed: %wfolder_passwordpermanent_tokencheckPathExistsurl must be setupdate stor: %wno_check_bucketbucketOwnerReadpublicReadWriteasia-northeast1asia-northeast2asia-northeast3asia-southeast1asia-southeast2europe-central2token_type_hint^media/by-year$scheme mismatchname contains /stat failed: %wOpen failed: %wFS imagekit: %sis-private-fileinternetarchiverclone-ia-mtimelegacy_usernameconfig_usernamelegacy_passwordconfig_passwordapplication/xmlDirect link: %sYour user name./api/v2/mounts/purge error: %wfileMd5ofPre10mzero_size_linksone_file_systemlist failed: %wNumber of filesFiles.ReadWriteshared-owner-idsetting time %vinode/directoryChosen Drive IDNo drives foundconfig_site_urlconfig_drive_okeapi.pcloud.com/getfilepublink/drive/v1/files/drive/v1/tasks/drive/v1/about/drive/v1/sharePROVIDER_ALIYUNUPLOAD_TYPE_URLdelete-src-fileupload file: %wrename http: %wremove http: %wPutio root '%s'upload-metadata/v2/trash/empty/file/download/get file_id: %wupload/finalizelist_url_encodeversion_deletedAF-JohannesburgLA-Mexico City1Berlin, GermanyEurope Region 1Europe Region 2Warsaw EndpointShanghai RegionVirginia Regions3.rackcorp.comMelbourne Vaultseafile %s '%s'api/v2.1/repos/sha1sum_commandNo shell accessParsed hash: %s/renter/stream//renter/delete/smb://%s@%s:%s/.file-segments//v5/upload/linkunion root '%s'sharepoint-ntlmrclone_modifiedZoho-oauthtoken#

memstr_bbc714d6-e

Source: project.exe

Static PE information: invalid certificate

Source: project.exe

Static PE information: Number of sections : 15 > 10

Source: project.exe, 00000000.00000001.1520712648.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename!json:"originalFilename,omitempty" vs project.exe
Source: project.exe, 00000000.00000002.1785897163.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename!json:"originalFilename,omitempty" vs project.exe
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename!json:"originalFilename,omitempty" vs project.exe

Source: project.exe

Static PE information: Section: /32 ZLIB complexity 0.9894712115330322

Source: classification engine

Classification label: mal52.evad.winEXE@6/1@0/0

Source: C:\Users\user\Desktop\project.exe

File created: C:\Users\user\AppData\Roaming\rclone

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03

Source: C:\Users\user\Desktop\project.exe

File opened: C:\Windows\system32\970c9df920c71de643277efe91ed910aeae492493a570a1f0ddd148122c4be7bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: project.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\project.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\project.exe

File read: C:\Users\user\Desktop\project.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\project.exe "C:\Users\user\Desktop\project.exe"
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\project.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\project.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\project.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: project.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: project.exe

Static file information: File size 84973456 > 1048576

Source: project.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1886e00
Source: project.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1f32c00
Source: project.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1d5e00
Source: project.exe	Static PE information: Raw size of /19 is bigger than: 0x100000 < 0x355400
Source: project.exe	Static PE information: Raw size of /65 is bigger than: 0x100000 < 0x651800
Source: project.exe	Static PE information: Raw size of /78 is bigger than: 0x100000 < 0x488a00
Source: project.exe	Static PE information: Raw size of .symtab is bigger than: 0x100000 < 0x63f200

Source: project.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: project.exe	Static PE information: section name: .xdata
Source: project.exe	Static PE information: section name: /4
Source: project.exe	Static PE information: section name: /19
Source: project.exe	Static PE information: section name: /32
Source: project.exe	Static PE information: section name: /46
Source: project.exe	Static PE information: section name: /65
Source: project.exe	Static PE information: section name: /78
Source: project.exe	Static PE information: section name: /90
Source: project.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\project.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\project.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PNPDeviceID, Size FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\project.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PNPDeviceID, Size FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\project.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: :httpssocks Lockedactivesocks5CANCELGOAWAYPADDEDsetenvreadatremoverenameexec: vmwareVMwarehangupkilledlistensocketSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13GetACPsendto390625uint16uint32uint64structchan<-<-chan ValueCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidisysmontimersefenceselectscalar, not next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...)
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [?25hcrypto/eax: crypto/ocb: no such hashS2K functionbad Tc valuebad Th valuebad Tq valuebad Pq valuebad Td valuebad Ta valueerroredFilesfile deletedclosed by </MSATimeStampx-client-skux-client-cpux-client-verSetUpSessionTOO_MANY_FOODistributionX-B3-TraceIdX-B3-Sampledgrpc_config=TYPE_UNKNOWNencapsulatedX-Amz-Targetinvalid dataNumberValue:StringValue:StructValue:&types.Type{OneofIndex: &types.Enum{Cardinality:&FloatValue{&Int64Value{&Int32Value{&BytesValue{TYPE_FIXED64TYPE_FIXED32TYPE_MESSAGEnot extendedFieldNumbersAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCLITE_RUNTIMESTRING_PIECEnegative intbad kind: %sunknown nameAuthorizationContent-RangeAccept-RangesIf-None-MatchLast-Modified403 Forbiddeninvalid range[FrameHeader invalid base accept-rangesauthorizationcache-controlcontent-rangeif-none-matchlast-modifiedunknown timersend_too_muchCache-ControlFQDN too longsocks connectReset ContentLoop DetectedSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATE%userprofile%FindFirstFile relative to level 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range in duration DeleteServiceStartServiceWFindResourceWGetDriveTypeWModule32NextWThread32FirstWaitCommEventRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodWTSFreeMemory3814697265625Gunjala_GondiMasaram_GondiMende_KikakuiOld_HungarianprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memoryunimplemented is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [%p1%'('%+%dmgnome-256colorxterm-256colorunknown markerbad RST markerInvalidRequestXXX_OneofFuncsNOT_ENOUGH_FOOhttp.client_ipLOGGER_UNKNOWNinvalid kind: <id s:%d m:%d>&types.Method{SourceContext:&types.Struct{DefaultValue: &types.Option{ReservedRangesLABEL_OPTIONALLABEL_REPEATEDLABEL_REQUIREDinvalid paddingHalfClosedLocalapplication/pdfapplication/oggfont/collectionapplication/zipnegative updateaccept-encodingaccept-languagex-forwarded-fortrailers_pseudobad_path_methodAccept-Encodingrecv_rststream_Idempotency-Key400 Bad RequestPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offset is not definedvboxservice.exeadvertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find not implemented: cannot parse ,M3.2.0,M11.1.0GetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodeIsWindowVisibletimeBeginPeriod476837158203125invalid bitSizeinvalid argSize<invalid Value>Hanifi_RohingyaPsalter_PahlaviallocmRInternalGC (fractional)write heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC prog
Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cDxterm-kittyTESTING KEYAppMetaDatax-client-osS2A_TIMEOUTUNSPECIFIEDX-B3-SpanIdhttp.targethttp.schemefallthroughoutputs > 3&types.Any{&types.Api{&FieldMask{&ListValue{Enumvalue: OneofIndex:&EnumValue{DoubleValueUInt64ValueUInt32ValueStringValue&BoolValue{TYPE_DOUBLETYPE_UINT64TYPE_STRINGTYPE_UINT32TYPE_SINT32TYPE_SINT64FieldRangesFileImportsCardinalityHasJSONNameHasPresenceIsExtensionempty sliceDECLARATION,omitempty,<panic: %s>kernel32.dll-WindowStyle\driver1.exe\driver1.rarshort bufferimage/x-iconContent-TypeCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2out of rangepush_promisedata_on_idleheaders_evendup_trailers100-continuerecv_goaway_status code Multi-StatusNot ModifiedUnauthorizedI'm a teapotNot ExtendedproxyconnectPUSH_PROMISECONTINUATIONFindNextFileexit status LocalAppDatavmtoolsd.exevmacthlp.exeVBoxTray.exeinvalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileGetAddrInfoWadvapi32.dlliphlpapi.dllnetapi32.dllCfgMgr32.dllsetupapi.dllwintrust.dllwtsapi32.dllOpenServiceWReportEventWRevertToSelfCreateEventWCreateMutexWGetCommStateGetProcessIdLoadResourceLockResourceReleaseMutexResumeThreadSetCommBreakSetCommStateSetErrorModeSetStdHandleThread32NextUnlockFileExVirtualAllocVirtualQueryNtCreateFileCoCreateGuidLittleEndian152587890625762939453125 has no name has no typereflect.CopyCypro_MinoanMeetei_MayekPahawh_HmongSora_SompengSyloti_NagrisweepWaiterstraceStringsspanSetSpinemspanSpecialgcBitsArenasmheapSpecialgcpacertracemadvdontneedharddecommitdumping heapchan receivecan't happenlfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
Source: project.exe, 00000000.00000000.1506138729.0000000002B36000.00000002.00000001.01000000.00000003.sdmp, project.exe, 00000000.00000000.1510202417.0000000004E93000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: project/modules/sub_499163.isVirtualMachine

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\project.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: project.exe PID: 4940, type: MEMORYSTR

Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name			Jump to behavior
Source: C:\Users\user\Desktop\project.exe	Process created: C:\Windows\System32\tasklist.exe tasklist			Jump to behavior

Source: project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowGetWindowLongGetWindowRectGetClientRectKana / HangulHanja / KanjiBrowserSearchImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWnot availablegocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSStrailing dataemail addressinvalid port name too longStringFromIIDIIDFromStringSafeArrayCopySafeArrayLockclient_secretmsi_object_idmsi_client_idmsi_mi_res_idupload_cutoffpublic_accesshttps://%s.%sno more pageskey not found/b2_hide_file/b2_copy_file/b2_copy_partbox root '%s'expired_tokennot ready yetcache-backendplex_usernameplex_passwordplex_insecuretmp_wait_timepurging cachecache-cleanupwrong versionrclone-press-exportformatsimportformatssize_as_quotadisable_http2 or name='%s'appDataFolderremoveParentsexisting filepermissionIdssharing.writeCommitting %sshared_folderfile_passworddoMoveFoldersupload faileddoAbortUploadFTP username.FTP password.close_timeoutdisable_tls13dirExists: %wstorage_classeurope-north1GCS bucket %spredefinedAcl&userProject=google photosGoogle Photos/sharedAlbums^upload/(.*)$db not found.hasher::%s:%sputHashes: %vhost mismatchname is emptyaccess_key_id/rclone-mtimeconfigVersionchoose_devicejotta-defaultconfig_devicerclone-jcmd5-folder_createMail.ru Cloudinvalid token%s failed: %wHTTP protocolcreated-by-id/permissions/access_scopeslink_passworddriveid_finalconfig_siteidAccessDenied_respond-asynctemp_location%s (Error %d)~/.oci/configoos:bucket %s/oauth2_token/createfolder/deletefolder/renamefolder/checksumfileinvalid_grantpremiumize.meCreateDir: %w/folder/pasteMove http: %w/account/infotus-resumableupload-lengthsentBytes: %dupload-offsetputio-file-idQingStor rootfind leaf: %wfile/metadataset mtime: %wsession_tokenus-gov-east-1us-gov-west-1Paris, FranceLA-Sao Paulo1Asia (Taiwan)s3.petabox.ios3.leviia.comEU Endpoint 1EU Endpoint 2US Endpoint 1US Endpoint 2TW Endpoint 1Mumbai RegionMoscow Regionus-east-vaultus-south-coldus-south-flexAPAC StandardToronto Vaultarn:aws:kms:*Using v2 authRestoreStatus?versionId=%sneed a bucket%q version %v.rclone-move-X-SEAFILE-OTP/file/detail//upload-link/relative_pathSSH username.key_file_passkey_use_agentpath_overriderclone md5sumAbout path %qShell path %qsingleversion/renter/file/SMB username.SMB password.Access grant.connecting...mkdir -p ./%srange %d + %drefresh_tokentenant_domainendpoint_typeaction_policycreate_policysearch_policyno region setTeam Drive IDworkspace_end# Alloc = %d

Source: C:\Users\user\Desktop\project.exe

Queries volume information: C:\Users\user\Desktop\project.exe VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Virtualization/Sandbox Evasion	LSASS Memory	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	113 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
project.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/DeleteObjectLifec	0%	Avira URL Cloud	safe
https://archive.org/account/s3.phpodata.count	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/ws-sx/ws-trust/200512/IssueREQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DON	0%	Avira URL Cloud	safe
https://downloads.rclone.orgfailed	0%	Avira URL Cloud	safe
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)).	0%	Avira URL Cloud	safe
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro)	0%	Avira URL Cloud	safe
https://www.backblaze.com/docs/cloud-storage-lifecycle-rules	0%	Avira URL Cloud	safe
http://sia.daemon.host:9980.	0%	Avira URL Cloud	safe
https://mittcloud-auth.tele2.se/auth/realms/comhem/protocol/openid-connect/tokenhttps://cloud-auth.o	0%	Avira URL Cloud	safe
https://protonmail.ch/mail/v4/messages/ids/core/v4/users/deletehttps://upload.put.io	0%	Avira URL Cloud	safe
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm	0%	Avira URL Cloud	safe
https://proton.me/support/the-difference-between-the-mailbox-password-and-login-password	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/issues/7652	0%	Avira URL Cloud	safe
https://microsoftgraph.chinacloudapi.cnProfile	0%	Avira URL Cloud	safe
http://github.com/rclone/rclone-webui-react).	0%	Avira URL Cloud	safe
https://rclone.org/bisync/#limitations)	0%	Avira URL Cloud	safe
https://%v/common/userrealm/login-us.microsoftonline.cominconsistent	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/%s/%s/%s/package.jsonlanguage:	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/GetObjectLifecycl	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/PreauthenticatedRequest/CreatePreauthen	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/issues/3857	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/CommitMultipartUploadht	0%	Avira URL Cloud	safe
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configurat	0%	Avira URL Cloud	safe
https://beta.rclone.org%s:	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Bucket/GetBuckethttps://docs.oracle.com	0%	Avira URL Cloud	safe
https://app.koofr.net/app/admin/preferences/password.Can	0%	Avira URL Cloud	safe
http://owncloud.org/ns	0%	Avira URL Cloud	safe
http://127.0.0.1:9980/renter/uploadstream/Memset	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/09/policybug:	0%	Avira URL Cloud	safe
https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html).	0%	Avira URL Cloud	safe
https://aka.ms/azsdk/go/identity/troubleshoot#dac	0%	Avira URL Cloud	safe
https://pkg.go.dev/time#pkg-constants)	0%	Avira URL Cloud	safe
https://github.com/go-resty/resty)The	0%	Avira URL Cloud	safe
https://user.mypikpak.com/v1/user/memove:	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/labels/serve%20s3)	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/AbortMultipartUploadhtt	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey	0%	Avira URL Cloud	safe
https://user.mypikpak.com/v1/auth/tokenupload	0%	Avira URL Cloud	safe
https://oauth.yandex.com/authorizeasync	0%	Avira URL Cloud	safe
https://XXX.sharepoint.com/sites/mysite	0%	Avira URL Cloud	safe
https://github.com/git-annex-remote-rclone/git-annex-remote-rclone	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/blob/master/bin/test_proxy.py)	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/ListObjectVersionsdescriptor	0%	Avira URL Cloud	safe
https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/tokenBearer	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	Avira URL Cloud	safe
https://api.sugarsync.comapplication_credential_idcontainer	0%	Avira URL Cloud	safe
https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)If	0%	Avira URL Cloud	safe
https://qingstor.com:443	0%	Avira URL Cloud	safe
https://rclone.org/install/	0%	Avira URL Cloud	safe
https://%s/adfs/.well-known/openid-configurationunable	0%	Avira URL Cloud	safe
https://apis.uloz.tobearer_token_commandnextcloud_chunk_sizecopy	0%	Avira URL Cloud	safe
https://www.backblaze.com/docs/cloud-storage-integration-checklist).Don	0%	Avira URL Cloud	safe
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl	0%	Avira URL Cloud	safe
http://127.0.0.1:10000/devstoreaccount1failed	0%	Avira URL Cloud	safe
https://auth.storage.memset.com/v1.0https://auth.storage.memset.com/v2.0	0%	Avira URL Cloud	safe
https://rclone.org/docs/#metadata-mapper)	0%	Avira URL Cloud	safe
https://auth.api.rackspacecloud.com/v1.0failed	0%	Avira URL Cloud	safe
https://XXX.sharepoint.com/teams/ID	0%	Avira URL Cloud	safe
https://my.hidrive.com/client/authorizeFull	0%	Avira URL Cloud	safe
https://api.imagekit.io/v2overwriteIgnoreNonexistingError	0%	Avira URL Cloud	safe
http://nextcloud.org/ns	0%	Avira URL Cloud	safe
https://docs.cloud.oracle.com/Content/Object/Tasks/usingyourencryptionkeys.htm).Upload	0%	Avira URL Cloud	safe
https://rclone.org/drive/#making-your-own-client-id	0%	Avira URL Cloud	safe
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdxml:	0%	Avira URL Cloud	safe
https://link.storjshare.iofailed	0%	Avira URL Cloud	safe
https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/authcan	0%	Avira URL Cloud	safe
https://drive.google.com/file/d/0AxBe_CDEF4zkGHI4d0FjYko2QkD/view?usp=drivesdk	0%	Avira URL Cloud	safe
https://rclone.org/bisync/)	0%	Avira URL Cloud	safe
https://downloads.rclone.org/v1.42	0%	Avira URL Cloud	safe
https://plex.tv/users/sign_in.jsonerror	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/issues/7454)).	0%	Avira URL Cloud	safe
https://pkg.go.dev/runtime/debug#SetMemoryLimit	0%	Avira URL Cloud	safe
https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/understandingstoragetiers.htm--sftp-ssh	0%	Avira URL Cloud	safe
https://oauth.rclone.org/ShareFile.Api.Models.Filecouldn	0%	Avira URL Cloud	safe
https://github.com/rclone/rclone/issues/4673	0%	Avira URL Cloud	safe
https://issuetracker.google.com/issues/149522397	0%	Avira URL Cloud	safe
https://api.idrivee2.com/api/service/get_region_end_pointDeleting	0%	Avira URL Cloud	safe
https://go.dev/doc/gc-guide	0%	Avira URL Cloud	safe
https://uptobox.com/my_account.fs	0%	Avira URL Cloud	safe
http://127.0.0.1:8080/	0%	Avira URL Cloud	safe
https://forum.rclone.org/t/31922	0%	Avira URL Cloud	safe
https://godoc.org/encoding/csv)	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Replication/GetReplicationPolicyhttps:/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/envelope/:Clienturn:schemas-upnp-org:service:ConnectionManager:1Retr	0%	Avira URL Cloud	safe
https://XXX.sharefile.com	0%	Avira URL Cloud	safe
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htmDon	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.2	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/RestoreObjectscredential	0%	Avira URL Cloud	safe
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequestLogEntry/ListWorkRequestLogs	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.0	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.1	0%	Avira URL Cloud	safe
https://cloud.google.com/storage/docs/bucket-policy-only	0%	Avira URL Cloud	safe
https://uloz.to/upload-resumable-api-beta	0%	Avira URL Cloud	safe
https://developers.google.com/drive/api/guides/ref-search-terms).	0%	Avira URL Cloud	safe
https://jfs.jottacloud.com/jfs/couldn	0%	Avira URL Cloud	safe
https://login.chinacloudapi.cn/upload/close_file_upload.json/upload/upload_file_chunk.jsontimeout	0%	Avira URL Cloud	safe
https://cloud-api.yandex.com/v1/diskfailed	0%	Avira URL Cloud	safe
https://forum.rclone.org/).	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/DeleteObjectLifec	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512/IssueREQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DON	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://sia.daemon.host:9980.	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://mittcloud-auth.tele2.se/auth/realms/comhem/protocol/openid-connect/tokenhttps://cloud-auth.o	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://protonmail.ch/mail/v4/messages/ids/core/v4/users/deletehttps://upload.put.io	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.backblaze.com/docs/cloud-storage-lifecycle-rules	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://archive.org/account/s3.phpodata.count	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.rclone.orgfailed	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://microsoftgraph.chinacloudapi.cnProfile	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://%v/common/userrealm/login-us.microsoftonline.cominconsistent	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/ObjectLifecyclePolicy/GetObjectLifecycl	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://proton.me/support/the-difference-between-the-mailbox-password-and-login-password	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/issues/7652	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/PreauthenticatedRequest/CreatePreauthen	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://github.com/rclone/rclone-webui-react).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/%s/%s/%s/package.jsonlanguage:	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rclone.org/bisync/#limitations)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/issues/3857	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/CommitMultipartUploadht	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configurat	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Bucket/GetBuckethttps://docs.oracle.com	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://beta.rclone.org%s:	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://app.koofr.net/app/admin/preferences/password.Can	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policybug:	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://owncloud.org/ns	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp, project.exe, 00000000.00000000.1508386354.0000000003B8B000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:9980/renter/uploadstream/Memset	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/azsdk/go/identity/troubleshoot#dac	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://pkg.go.dev/time#pkg-constants)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/go-resty/resty)The	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://user.mypikpak.com/v1/user/memove:	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://user.mypikpak.com/v1/auth/tokenupload	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/labels/serve%20s3)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://oauth.yandex.com/authorizeasync	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/MultipartUpload/AbortMultipartUploadhtt	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/git-annex-remote-rclone/git-annex-remote-rclone	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://XXX.sharepoint.com/sites/mysite	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/blob/master/bin/test_proxy.py)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/ListObjectVersionsdescriptor	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/tokenBearer	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://api.sugarsync.comapplication_credential_idcontainer	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)If	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://qingstor.com:443	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rclone.org/install/	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://%s/adfs/.well-known/openid-configurationunable	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.uloz.tobearer_token_commandnextcloud_chunk_sizecopy	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.backblaze.com/docs/cloud-storage-integration-checklist).Don	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:10000/devstoreaccount1failed	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://auth.storage.memset.com/v1.0https://auth.storage.memset.com/v2.0	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rclone.org/docs/#metadata-mapper)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://auth.api.rackspacecloud.com/v1.0failed	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://XXX.sharepoint.com/teams/ID	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://api.imagekit.io/v2overwriteIgnoreNonexistingError	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://link.storjshare.iofailed	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rclone.org/drive/#making-your-own-client-id	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://sky-auth.telia.no/auth/realms/get/protocol/openid-connect/authcan	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.cloud.oracle.com/Content/Object/Tasks/usingyourencryptionkeys.htm).Upload	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://my.hidrive.com/client/authorizeFull	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdxml:	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://nextcloud.org/ns	project.exe, 00000000.00000000.1508386354.0000000003B8B000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rclone.org/bisync/)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/file/d/0AxBe_CDEF4zkGHI4d0FjYko2QkD/view?usp=drivesdk	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.rclone.org/v1.42	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://plex.tv/users/sign_in.jsonerror	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/issues/7454)).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://oauth.rclone.org/ShareFile.Api.Models.Filecouldn	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://pkg.go.dev/runtime/debug#SetMemoryLimit	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/understandingstoragetiers.htm--sftp-ssh	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/rclone/rclone/issues/4673	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://go.dev/doc/gc-guide	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://api.idrivee2.com/api/service/get_region_end_pointDeleting	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://issuetracker.google.com/issues/149522397	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://uptobox.com/my_account.fs	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8080/	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://godoc.org/encoding/csv)	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://forum.rclone.org/t/31922	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Replication/GetReplicationPolicyhttps:/	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://XXX.sharefile.com	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/:Clienturn:schemas-upnp-org:service:ConnectionManager:1Retr	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.2	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htmDon	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/Object/RestoreObjectscredential	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.oracle.com/iaas/api/#/en/objectstorage/20160918/WorkRequestLogEntry/ListWorkRequestLogs	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.0	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.1	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud.google.com/storage/docs/bucket-policy-only	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://uloz.to/upload-resumable-api-beta	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://developers.google.com/drive/api/guides/ref-search-terms).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://jfs.jottacloud.com/jfs/couldn	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://cloud-api.yandex.com/v1/diskfailed	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://forum.rclone.org/).	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://login.chinacloudapi.cn/upload/close_file_upload.json/upload/upload_file_chunk.jsontimeout	project.exe, 00000000.00000000.1506138729.0000000001C58000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1462735
Start date and time:	2024-06-26 00:36:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	project.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@6/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: project.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\project.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.635158451607599
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	project.exe
File size:	84'973'456 bytes
MD5:	2b9cef8cf6801b96fd404a6436da80ed
SHA1:	1ce86e613c56d643db8a4909da275fea526bda35
SHA256:	b87aa54a7352136564ac19a66a89529d95aaf7bbd2474f035e4fd83d65ae579c
SHA512:	9fa2be3ed867de3910881e2b353d8ff9f3ff25125bb458ba7f4b099adf63529a61906def887d1f3f61e0a50532b7a462e94979bce4b905bbaf712025349ef51e
SSDEEP:	786432:Z/i5jul6pr3WPPzFCmoFuTF0XUZpMgniP3l3gennj2S:ZbASPrVpMgZUiS
TLSH:	0E186C53F89541B9CAEDD634C5A682227B707C499B3267CB2B60F6347E72BC057BA340
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........\|..I?...."......n...^......`I........@..............................p............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x474960
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	ea509d361799935a94335b88f534a970

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	16/03/2023 01:00:00 26/02/2025 00:59:59
Subject Chain	CN="Krisp Technologies, Inc", O="Krisp Technologies, Inc", L=Berkeley, S=California, C=US, SERIALNUMBER=6543638, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	354668F95C493E3500BDD53C92105915
Thumbprint SHA-1:	C8C62AC35E4A4564F9BCF2B158AD7DC9B0891F84
Thumbprint SHA-256:	4D10B53317FBF86654BF49062C31D1765560F098549D354DB45D1F15F890C98C
Serial:	0CE30BB03E421B33BC87CDA53E842795

Entrypoint Preview

Instruction
jmp 00007F3F54D9B530h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [0398081Eh]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F3F54D9EE55h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F3F54D7D44Fh
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ac2000	0x552	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3a19000	0xa9c50	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5106e00	0x2990	.symtab
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4ac3000	0x93736	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37beba0	0x180	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1886ca4	0x1886e00	0ebf42a0ad1aafbae816db145d3aac51	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1888000	0x1f32a38	0x1f32c00	930f06373f267c66c26bf81f17ed7ba6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x37bb000	0x25de60	0x1d5e00	7349d88db55861591946ce1bc05d5bbf	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3a19000	0xa9c50	0xa9e00	c595bbcd70572cc72d2dee0ce42ea875	False	0.39286699779249445	data	6.071377333107608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x3ac3000	0xa8	0x200	673eb0cb30fca49fc02d73a2fcc681bc	False	0.19921875	data	1.6345075234569126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x3ac4000	0x129	0x200	17f62672c8506464ae13eccc2eb6cb94	False	0.623046875	data	5.081946473254993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x3ac5000	0x3553c1	0x355400	d331b12990bcd0ca9260fb9e09df8d41	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x3e1b000	0xdd404	0xdd600	a005fbd22c0654222d5ce8a8f00940ba	False	0.9894712115330322	data	7.933131593959694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x3ef9000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x3efa000	0x65163a	0x651800	5e938b0634efd582bd19180ef5274631	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x454c000	0x488930	0x488a00	32992ee6206d74526ed4324001e8315b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x49d5000	0xecefa	0xed000	a4bd9f0978b7590c342824d5ebf41b50	False	0.9683925451608649	data	7.8155174693495155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x4ac2000	0x552	0x600	4d580c2e39a5aa9ad202f8659f8cc8ba	False	0.376953125	data	4.207508894563258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4ac3000	0x93736	0x93800	1fbc6ff6e4d3287814091dbf18396f4b	False	0.1317780058262712	data	5.466072548631456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x4b57000	0x63f0e0	0x63f200	7a961f8feb634afbb8cdf2b7f1a83884	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

• project.exe
• conhost.exe
• WMIC.exe
• tasklist.exe

Click to jump to process

Memory Usage

• project.exe
• conhost.exe
• WMIC.exe
• tasklist.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	18:37:37
Start date:	25/06/2024
Path:	C:\Users\user\Desktop\project.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\project.exe"
Imagebase:	0x3d0000
File size:	84'973'456 bytes
MD5 hash:	2B9CEF8CF6801B96FD404A6436DA80ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:37:38
Start date:	25/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:37:39
Start date:	25/06/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6c48d0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:37:39
Start date:	25/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff763c60000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report project.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: project.exePID: 4940, Parent PID: 4084

General

File Activities

File Opened

File Created

Windows Analysis Report
project.exe