Edit tour

Windows Analysis Report
xpmg.exe

Overview

General Information

Sample name:xpmg.exe
Analysis ID:1644979
MD5:73e43654e9f3df0d07d25051b2d3cfeb
SHA1:6eebcc3ab72ea0eeb5b9d3340145b41bea23423b
SHA256:666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e
Tags:exeuser-NDA0E
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates COM task schedule object (often to register a task for autostart)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Enables security privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • xpmg.exe (PID: 8776 cmdline: "C:\Users\user\Desktop\xpmg.exe" MD5: 73E43654E9F3DF0D07D25051B2D3CFEB)
  • xpmg.exe (PID: 8804 cmdline: C:\Users\user\Desktop\xpmg.exe MD5: 73E43654E9F3DF0D07D25051B2D3CFEB)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xpmg.exeVirustotal: Detection: 15%Perma Link
Source: xpmg.exeReversingLabs: Detection: 19%
Source: xpmg.exe, 00000000.00000002.2583505909.00007FF713BB1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5d7ce34c-b
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: xpmg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 155.138.150.12:7712
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownTCP traffic detected without corresponding DNS query: 155.138.150.12
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
Source: xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
Source: xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgPro44H
Source: xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgm
Source: xpmg.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: xpmg.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: xpmg.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: C:\Users\user\Desktop\xpmg.exeProcess token adjusted: SecurityJump to behavior
Source: classification engineClassification label: mal48.winEXE@2/0@1/3
Source: C:\Users\user\Desktop\xpmg.exeMutant created: \Sessions\1\BaseNamedObjects\Mutant-1A20A71F2BD07CF9112315300FE9AC993C8E2F281140ED49BE3E2D3803333AF6
Source: xpmg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xpmg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: xpmg.exe, 00000000.00000000.1331304995.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000000.00000002.2583505909.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000001.00000000.1340589170.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000001.00000002.1342339097.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: xpmg.exe, 00000000.00000000.1331304995.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000000.00000002.2583505909.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000001.00000000.1340589170.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmp, xpmg.exe, 00000001.00000002.1342339097.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: xpmg.exeVirustotal: Detection: 15%
Source: xpmg.exeReversingLabs: Detection: 19%
Source: xpmg.exeString found in binary or memory: Accept-Additions
Source: xpmg.exeString found in binary or memory: List-Help
Source: xpmg.exeString found in binary or memory: MMHS-Exempted-Address
Source: xpmg.exeString found in binary or memory: Originator-Return-Address
Source: xpmg.exeString found in binary or memory: id-cmc-addExtensions
Source: xpmg.exeString found in binary or memory: set-addPolicy
Source: xpmg.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectorycw-outbodyheadercw_out, wrote %zu %s bytes -> %zuWrite callback asked for PAUSE when not supportedcw_out, PAUSE requested by clientclient returned ERROR on write of %zu bytesFailure writing output to destination, passed %zu returned %zd notcw-out is%spausedcw-out done--:--:--%2lld:%02lld:%02lld%3lldd %02lldh%7lldd%5lld%4lldk%2lld.%0lldM%4lldM%2lld.%0lldG%4lldG%4lldT%4lldP** Resuming transfer from byte position %lld
Source: unknownProcess created: C:\Users\user\Desktop\xpmg.exe "C:\Users\user\Desktop\xpmg.exe"
Source: unknownProcess created: C:\Users\user\Desktop\xpmg.exe C:\Users\user\Desktop\xpmg.exe
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: xpmg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: xpmg.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: xpmg.exeStatic file information: File size 11450880 > 1048576
Source: xpmg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x819800
Source: xpmg.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x257800
Source: xpmg.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: xpmg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: xpmg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xpmg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xpmg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xpmg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xpmg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xpmg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\xpmg.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: xpmg.exe, 00000001.00000002.1341429434.000002A80775D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllddQ
Source: C:\Users\user\Desktop\xpmg.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\xpmg.exeCode function: 0_2_00007FF7139AD4A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7139AD4A8
Source: C:\Users\user\Desktop\xpmg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Scheduled Task/Job
1
Process Injection
1
Process Injection
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job
1
DLL Side-Loading
1
Scheduled Task/Job
1
DLL Side-Loading
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
Obfuscated Files or InformationSecurity Account Manager3
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
System Network Configuration Discovery
Distributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644979 Sample: xpmg.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 48 11 api.ipify.org 2->11 19 Multi AV Scanner detection for submitted file 2->19 6 xpmg.exe 2->6         started        9 xpmg.exe 2->9         started        signatures3 process4 dnsIp5 13 api.ipify.org 104.26.12.205, 443, 49723 CLOUDFLARENETUS United States 6->13 15 155.138.150.12, 49720, 7712 AS-CHOOPAUS United States 6->15 17 127.0.0.1 unknown unknown 6->17

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
xpmg.exe15%VirustotalBrowse
xpmg.exe19%ReversingLabsWin64.Trojan.SpywareX
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://api.ipify.orgm0%Avira URL Cloudsafe
https://api.ipify.orgPro44H0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
104.26.12.205
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://api.ipify.org/xpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://curl.se/docs/hsts.htmlxpmg.exefalse
        high
        https://api.ipify.orgxpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://api.ipify.orgmxpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://api.ipify.orgPro44Hxpmg.exe, 00000000.00000002.2582873773.000002D43BDE9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://curl.se/docs/alt-svc.htmlxpmg.exefalse
            high
            https://curl.se/docs/http-cookies.htmlxpmg.exefalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              104.26.12.205
              api.ipify.orgUnited States
              13335CLOUDFLARENETUSfalse
              155.138.150.12
              unknownUnited States
              20473AS-CHOOPAUSfalse
              IP
              127.0.0.1
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1644979
              Start date and time:2025-03-21 09:04:17 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 7s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:xpmg.exe
              Detection:MAL
              Classification:mal48.winEXE@2/0@1/3
              EGA Information:Failed
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 23.96.180.189, 150.171.28.10, 23.44.201.12
              • Excluded domains from analysis (whitelisted): www.bing.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target xpmg.exe, PID 8776 because there are no executed function
              • Execution Graph export aborted for target xpmg.exe, PID 8804 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              TimeTypeDescription
              09:05:14Task SchedulerRun new task: MSTR tsk path: C:\Users\user\Desktop\xpmg.exe
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.26.12.205ArenaWarsSetup.exeGet hashmaliciousUnknownBrowse
              • api.ipify.org/
              ue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
              • api.ipify.org/
              LauncherV9.exeGet hashmaliciousLummaC StealerBrowse
              • api.ipify.org/
              Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
              • api.ipify.org/?format=xml
              NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
              • api.ipify.org/
              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
              • api.ipify.org/
              VRChat_ERP_Setup 1.0.0.msiGet hashmaliciousUnknownBrowse
              • api.ipify.org/
              wEY98gM1Jj.ps1Get hashmaliciousLummaC StealerBrowse
              • api.ipify.org/
              oNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
              • api.ipify.org/
              Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
              • api.ipify.org/
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              api.ipify.orghttps://www.notion.so/1bdd77ae53198000a5cac301263746cbGet hashmaliciousHTMLPhisherBrowse
              • 104.26.13.205
              https://www.notion.so/1bdd77ae53198000a5cac301263746cbGet hashmaliciousHTMLPhisherBrowse
              • 172.67.74.152
              Datasheet.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 104.26.12.205
              ATT11027.xhtmlGet hashmaliciousHTMLPhisherBrowse
              • 104.26.13.205
              https://u2587569.ct.sendgrid.net/ls/click?upn=u001.tNCzvDY7Bps68NDHX050sfuZjwcZnKCiceJckL-2B-2BdtgW4S9czNQzTHuxGTDYUy2rgldwS-2FXaSK9tb15A2WijtesF9nKvyaekU8V6epmALsKFNzS6qhT8Y0hQxsOJhohPcwmraeJIKZH9TyOwWHJmFuZBAHXDHHKqUVL-2FUGP0fxMK3MBdQxp6bY6Ha8NZBWkjR7mgJ5fMAAuHlcLpVUtqCKWF7-2BW-2FrkTigMom4or-2B8m-2FS4TyrdjqGrNF-2BS24W1HEc4Nny-2FQbpl5Jr7z80HD8ERxHFxRHxDPLk-2B4YAHJEAIhKPImdnrMMiJGr9A4uEtPP39M5paIcI5sxlMhNL6z-2BKgTbMjlWBJaVVTxeufFQoFkl5u4NmsI44p17fSNIf2kHaYMMtnw0u0ApwVb9wZ3tJmp8AGgV65F1zRvnrFTPWISLatDmHGN3CKd73qRTLKmto5ZSsX3-2BwDUXMaUslNCFnOeOBvQkBDvUajrHfQmlQGD0zklpJ9WRzeYfjf4q-2Bc4Qu1Nf91VjDSdu48kXA2Z83MvwnSyKbPC863DiAR29AdxPmi1nIgYKk06DgcAWMuq2ENVqbbCQtUVgtZaYHCTljloaWego9b111Sg-2Be7K5sjWZvL10Fd-2Fe8x58DkwbvBNZsy8kmn2mGi8qVqTeWx9-2Brhlr4k1qrS1CvUmSqedu0NrwPQeaJupno6T-2Bqo-2BzulaLbvdWFreaPwNJ5CTaPVCN9fpvhUAzUS-2FlWTTCA-2FnSuCPTscXiBnW-2B4ungzp4n8Lqpuk6XGZd1rraYdTpcYsjIFBAluxLUtcFe1RkWRujzmOwPcDxwpZgxVj9TsDAzb4JrMPmBN2Sin7qgSZpDFxIb3yOVqUu9FExdB-2Fwpe-2FOokwr4-3D8A5E_-2FOI-2FxWKZBS0RBubCQDq4P71qBkOoJj9TQ-2FBNKjRykiT9mUix5aObCdsaE3X4Sh22h5PBW1VseZKNRSMsHcEXChaxx4fpyalr8S5mdNAGDIFE0BdGE6SFPQC1ze3qi3ZOs99VkecPMd3ju7N-2BWWYyJE6xPy-2FgXhUKDOj-2BkfDKJ8KqABvqtFGuxd5KhNBGU7VDh7BHPjKSbdGclNFQCojq4NR0NeZ6xwwI2wKPGRZHpHU-3DGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              google.meet-join.us.ps1Get hashmaliciousNetSupport RATBrowse
              • 104.26.13.205
              SHIP PARTICULARS TBN 1.docx.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 104.26.12.205
              STAR ASPIRATION VLS'S DETAILS.xlsx.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 172.67.74.152
              rCONFIDENTIAL_P.exeGet hashmaliciousAgentTeslaBrowse
              • 104.26.12.205
              Datasheet.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 104.26.12.205
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CLOUDFLARENETUShttps://www.notion.so/1bdd77ae53198000a5cac301263746cbGet hashmaliciousHTMLPhisherBrowse
              • 104.26.8.129
              https://www.notion.so/1bdd77ae53198000a5cac301263746cbGet hashmaliciousHTMLPhisherBrowse
              • 104.26.8.129
              https://web-ckjw9newsoladbdacma0202.powerappsportals.com/Get hashmaliciousHTMLPhisherBrowse
              • 104.18.94.41
              Contract Invoice Approval.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
              • 104.26.0.100
              Contract Invoice Approval.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
              • 104.17.25.14
              MAWARIS RFQ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
              • 104.21.96.1
              EaTo0d6YUT.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 172.67.145.183
              ACHStub_XNZSCHPTIF.svgGet hashmaliciousHTMLPhisherBrowse
              • 104.18.86.42
              https://aniwatch.lvGet hashmaliciousUnknownBrowse
              • 172.67.154.115
              https://aniwatch.lvGet hashmaliciousUnknownBrowse
              • 172.67.40.50
              AS-CHOOPAUScourtyardhealthcare.com.exeGet hashmaliciousUnknownBrowse
              • 139.180.160.173
              compited.ps1Get hashmaliciousUnknownBrowse
              • 139.180.160.173
              Nyx4r.mpsl.elfGet hashmaliciousOkiruBrowse
              • 44.168.169.166
              hoho.armv5l.elfGet hashmaliciousUnknownBrowse
              • 44.174.49.98
              yarn.elfGet hashmaliciousUnknownBrowse
              • 149.253.222.204
              https://metamaeasskelog.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 45.32.7.89
              http://metamaskelogines.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 155.138.141.200
              jkse.mips.elfGet hashmaliciousUnknownBrowse
              • 44.168.169.169
              nklsh4.elfGet hashmaliciousUnknownBrowse
              • 80.240.27.219
              jklarm.elfGet hashmaliciousUnknownBrowse
              • 44.40.187.61
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bd0bf25947d4a37404f0424edf4db9adTalksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
              • 104.26.12.205
              aisolution_a.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 104.26.12.205
              Talksy.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              Talksy.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              CPANEL(1)..ps1Get hashmaliciousUnknownBrowse
              • 104.26.12.205
              Cv8saT11Ha.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              I281zhTj3J.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              EoN1VzwYYa.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              LHU6yozPyx.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              12ss323fcw8gsd4bvd.exeGet hashmaliciousUnknownBrowse
              • 104.26.12.205
              No context
              No created / dropped files found
              File type:PE32+ executable (GUI) x86-64, for MS Windows
              Entropy (8bit):6.7161526004645
              TrID:
              • Win64 Executable GUI (202006/5) 92.65%
              • Win64 Executable (generic) (12005/4) 5.51%
              • Generic Win/DOS Executable (2004/3) 0.92%
              • DOS Executable Generic (2002/1) 0.92%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:xpmg.exe
              File size:11'450'880 bytes
              MD5:73e43654e9f3df0d07d25051b2d3cfeb
              SHA1:6eebcc3ab72ea0eeb5b9d3340145b41bea23423b
              SHA256:666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e
              SHA512:871600ae79b26bde4b5601fcf3c9e2e3d2a9f9bc04cd06d10cf69036a714a5b89b811da07070e021e7d844fc8c57a406e17361e8f738b1068b24d989e40e659c
              SSDEEP:196608:KoykUxv987qMNR4Ok/RDpgPnqSuR3pfRkAJ:7UxFUqMNR4Ok5DpgPnqSuR3pfRf
              TLSH:64B6AE5AA2B800D8D4BBC078CA569617E7B1741D03F057EF26A496F52F23BE07E7A740
              File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......1..=u..nu..nu..n...ob..n...o...nd}.n|..nd}.oa..nd}.o{..nd}.o...n...oW..n>~.o...nu..nK..n...ot..n...of..nu..n...n.}.o...n.}.o...
              Icon Hash:90cececece8e8eb0
              Entrypoint:0x14079ce50
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x67CCC528 [Sat Mar 8 22:31:04 2025 UTC]
              TLS Callbacks:0x4079c5d0, 0x1, 0x4079d1a0, 0x1
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:b499fbb2966a868acfd7581339fc5018
              Instruction
              dec eax
              sub esp, 28h
              call 00007FA66C85C374h
              dec eax
              add esp, 28h
              jmp 00007FA66C85BB9Fh
              int3
              int3
              dec eax
              mov dword ptr [esp+10h], ebx
              dec eax
              mov dword ptr [esp+18h], esi
              push ebp
              push edi
              inc ecx
              push esi
              dec eax
              mov ebp, esp
              dec eax
              sub esp, 10h
              xor eax, eax
              xor ecx, ecx
              cpuid
              inc esp
              mov eax, ecx
              inc esp
              mov edx, edx
              inc ecx
              xor edx, 49656E69h
              inc ecx
              xor eax, 6C65746Eh
              inc esp
              mov ecx, ebx
              inc esp
              mov esi, eax
              xor ecx, ecx
              mov eax, 00000001h
              cpuid
              inc ebp
              or edx, eax
              mov dword ptr [ebp-10h], eax
              inc ecx
              xor ecx, 756E6547h
              mov dword ptr [ebp-0Ch], ebx
              inc ebp
              or edx, ecx
              mov dword ptr [ebp-08h], ecx
              mov edi, ecx
              mov dword ptr [ebp-04h], edx
              jne 00007FA66C85BD7Dh
              dec eax
              or dword ptr [002DFE61h], FFFFFFFFh
              and eax, 0FFF3FF0h
              dec eax
              mov dword ptr [002DFE49h], 00008000h
              cmp eax, 000106C0h
              je 00007FA66C85BD4Ah
              cmp eax, 00020660h
              je 00007FA66C85BD43h
              cmp eax, 00020670h
              je 00007FA66C85BD3Ch
              add eax, FFFCF9B0h
              cmp eax, 20h
              jnbe 00007FA66C85BD46h
              dec eax
              mov ecx, 00010001h
              add dword ptr [eax], eax
              add byte ptr [eax], al
              dec eax
              bt ecx, eax
              jnc 00007FA66C85BD36h
              inc esp
              mov eax, dword ptr [0031CDE7h]
              inc ecx
              or eax, 01h
              inc esp
              mov dword ptr [0031CDDCh], eax
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa7050c0xc8.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0b0000x1e0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xabc0000x4e618.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0c0000xeee8.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x9e9a100x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x9e9c000x28.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9e98d00x140.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x81b0000xaa8.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x8197c00x819800d5e704faf062061fd2f7806c0772d859unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x81b0000x2577b20x2578007404ab2c72bbde461896fb5967002f19unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa730000x4897c0x1cc008b4ca124fc16babe0804dbf2f53e42eaFalse0.1606148097826087data4.8288102616911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pdata0xabc0000x4e6180x4e800624699aa34c2f48cd612f99f0da8c9c3False0.48581185310509556data6.474035881676496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xb0b0000x1e00x20061b1f16028358d050dfad06e2a1e19fcFalse0.53125data4.7137725829467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xb0c0000xeee80xf00096181a1406d89d30e5c02ff2df55d70fFalse0.26925455729166664data5.459649082470015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_MANIFEST0xb0b0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
              DLLImport
              ole32.dllCoInitialize, StgCreateDocfile, CoTaskMemFree, CoCreateInstance, CoUninitialize
              USER32.dllGetUserObjectInformationW, MessageBoxW, GetProcessWindowStation
              WS2_32.dllgethostname, __WSAFDIsSet, inet_ntop, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, WSAIoctl, inet_pton, sendto, recvfrom, getpeername, socket, listen, bind, accept, send, recv, getservbyname, getservbyport, gethostbyaddr, inet_ntoa, inet_addr, gethostbyname, getsockname, freeaddrinfo, getaddrinfo, shutdown, ntohs, WSASocketW, WSARecv, select, getsockopt, connect, WSAStringToAddressW, WSASend, WSAGetLastError, WSASetLastError, WSACleanup, WSAStartup, setsockopt, ntohl, htons, htonl, ioctlsocket, closesocket
              bcrypt.dllBCryptGenRandom
              ADVAPI32.dllCryptDestroyKey, RegOpenKeyExW, RegGetValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumValueW, SystemFunction036, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, CryptEnumProvidersA, CryptAcquireContextW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptEncrypt, CryptImportKey, RegCloseKey, CryptDestroyHash
              KERNEL32.dllQueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, DuplicateHandle, LoadLibraryExW, FreeLibraryAndExitThread, GetThreadTimes, GetCurrentThread, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LCMapStringEx, GetCPInfo, CompareStringEx, DecodePointer, EncodePointer, SignalObjectAndWait, CreateThread, GetThreadPriority, GetCurrentProcessorNumberEx, GetLogicalProcessorInformationEx, GetNumaHighestNodeNumber, GetThreadGroupAffinity, SetThreadGroupAffinity, GetProcessAffinityMask, ExitThread, ResumeThread, SetConsoleCtrlHandler, ExitProcess, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, SetStdHandle, GetLastError, FormatMessageA, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, LocalFree, CloseHandle, SetLastError, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, WaitForSingleObject, SleepEx, CreateEventW, SetWaitableTimer, WaitForMultipleObjects, QueueUserAPC, TerminateThread, InitializeCriticalSectionEx, CreateWaitableTimerW, LoadLibraryA, InitializeCriticalSection, Sleep, GetSystemInfo, VirtualFree, GetEnvironmentVariableW, GetCurrentDirectoryW, CreateDirectoryW, CreateFileW, DeleteFileW, FlushFileBuffers, GetFileAttributesW, GetFileInformationByHandle, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, SetFileAttributesW, SetFilePointerEx, DeviceIoControl, GetWindowsDirectoryW, GetModuleHandleW, GetProcAddress, CreateDirectoryExW, CopyFileExW, GetConsoleOutputCP, AreFileApisANSI, DeleteFileA, GetTempPathA, GetTempFileNameA, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, GetExitCodeProcess, GetNativeSystemInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExA, CreateFileA, GetFileAttributesExA, LockFileEx, UnlockFileEx, FreeLibrary, LoadLibraryW, FindClose, ResetEvent, CreateEventA, GetTickCount, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, GetSystemTime, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetProcessHeap, GetCurrentProcessId, GetFileSize, UnlockFile, HeapDestroy, HeapCompact, HeapAlloc, HeapReAlloc, WaitForSingleObjectEx, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, HeapSize, HeapValidate, CloseThreadpoolWait, CreateMutexW, GetTempPathW, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapFree, HeapCreate, ReadFile, RaiseException, TryEnterCriticalSection, GetCurrentThreadId, RtlVirtualUnwind, GetStdHandle, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, GetACP, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemDirectoryA, TerminateProcess, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, FindFirstFileW, FindNextFileW, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, SetThreadPriority, GetFileSizeEx, CreateFileMappingA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, QueryPerformanceFrequency, GetSystemDirectoryW, GetEnvironmentVariableA, VerSetConditionMask, GetModuleHandleA, VerifyVersionInfoW, PeekNamedPipe, SetThreadpoolWait, CreateThreadpoolWait, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, CreateThreadpoolTimer, FreeLibraryWhenCallbackReturns, FlushProcessWriteBuffers, CreateSemaphoreExW, CreateEventExW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, IsValidCodePage, WriteConsoleW, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, MoveFileExW, UnmapViewOfFile, SwitchToThread, ReleaseSRWLockShared, AcquireSRWLockShared, TryAcquireSRWLockExclusive, SleepConditionVariableSRW, GetTickCount64, GetStringTypeW, WakeAllConditionVariable, GetLocaleInfoEx, FindFirstFileExW, FreeEnvironmentStringsW
              OLEAUT32.dllOleCreatePropertyFrame, SysAllocStringByteLen, SysStringByteLen, VariantClear, VariantInit, SysFreeString, SysAllocString
              ntdll.dllRtlPcToFileHeader, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlUnwind
              CRYPT32.dllCertGetCertificateChain, CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenSystemStoreW, CertOpenStore, CertEnumCertificatesInStore, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertFreeCertificateChain
              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Download Network PCAP: filteredfull

              • Total Packets: 19
              • 7712 undefined
              • 443 (HTTPS)
              • 53 (DNS)
              TimestampSource PortDest PortSource IPDest IP
              Mar 21, 2025 09:05:15.094430923 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:05:15.195662975 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:05:15.195816040 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:05:15.313082933 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.313165903 CET44349723104.26.12.205192.168.2.5
              Mar 21, 2025 09:05:15.313260078 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.328042030 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.328079939 CET44349723104.26.12.205192.168.2.5
              Mar 21, 2025 09:05:15.545646906 CET44349723104.26.12.205192.168.2.5
              Mar 21, 2025 09:05:15.545737028 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.555084944 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.555244923 CET44349723104.26.12.205192.168.2.5
              Mar 21, 2025 09:05:15.555318117 CET49723443192.168.2.5104.26.12.205
              Mar 21, 2025 09:05:15.555521965 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:05:15.657694101 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:05:15.699187040 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:05:30.814527988 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:05:30.814814091 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:05:45.923623085 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:05:45.923759937 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:06:01.033638000 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:06:01.033759117 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:06:16.143450975 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:06:16.143543005 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:06:31.255086899 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:06:31.255238056 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:06:46.363018036 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:06:46.363409996 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:07:01.476632118 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:07:01.476891994 CET497207712192.168.2.5155.138.150.12
              Mar 21, 2025 09:07:16.597322941 CET771249720155.138.150.12192.168.2.5
              Mar 21, 2025 09:07:16.597414017 CET497207712192.168.2.5155.138.150.12
              TimestampSource PortDest PortSource IPDest IP
              Mar 21, 2025 09:05:15.206145048 CET5627253192.168.2.51.1.1.1
              Mar 21, 2025 09:05:15.307146072 CET53562721.1.1.1192.168.2.5
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 21, 2025 09:05:15.206145048 CET192.168.2.51.1.1.10xed68Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 21, 2025 09:05:15.307146072 CET1.1.1.1192.168.2.50xed68No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
              Mar 21, 2025 09:05:15.307146072 CET1.1.1.1192.168.2.50xed68No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
              Mar 21, 2025 09:05:15.307146072 CET1.1.1.1192.168.2.50xed68No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
              050100s020406080100

              Click to jump to process

              050100s0.005101520MB

              Click to jump to process

              • File
              • Registry
              • Network

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:0
              Start time:04:05:13
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\xpmg.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\xpmg.exe"
              Imagebase:0x7ff713210000
              File size:11'450'880 bytes
              MD5 hash:73E43654E9F3DF0D07D25051B2D3CFEB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:false

              Target ID:1
              Start time:04:05:14
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\xpmg.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\xpmg.exe
              Imagebase:0x7ff713210000
              File size:11'450'880 bytes
              MD5 hash:73E43654E9F3DF0D07D25051B2D3CFEB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              Non-executed Functions

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2583025931.00007FF713211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF713210000, based on PE: true
              • Associated: 00000000.00000002.2583007976.00007FF713210000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583505909.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583505909.00007FF713B6A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583505909.00007FF713B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583505909.00007FF713BB1000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583696263.00007FF713C83000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583714489.00007FF713C89000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583731143.00007FF713C8B000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583747990.00007FF713C8E000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583768426.00007FF713C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583768426.00007FF713CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583768426.00007FF713CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583768426.00007FF713CC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583768426.00007FF713CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2583855357.00007FF713CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff713210000_xpmg.jbxd
              Similarity
              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 2933794660-0
              • Opcode ID: 454cca1ede7e80584f40fc93be870ff6eee4bb71ff6e9de45d95394c0ddd3ac7
              • Instruction ID: 2c5b2996b87e0adad332391348b47ecfd077fe57b82032d89f84dc4811139ac5
              • Opcode Fuzzy Hash: 454cca1ede7e80584f40fc93be870ff6eee4bb71ff6e9de45d95394c0ddd3ac7
              • Instruction Fuzzy Hash: 3D117032B14F068AEB40DF60E8556B873A4FB19B68F840E31EA6D577A4DF3CE1588350

              Non-executed Functions

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1341638305.00007FF713211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF713210000, based on PE: true
              • Associated: 00000001.00000002.1341619978.00007FF713210000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342339097.00007FF713A2B000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342339097.00007FF713B6A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342339097.00007FF713B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342339097.00007FF713BB1000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342573403.00007FF713C83000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342591293.00007FF713C89000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342606074.00007FF713C8C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342624718.00007FF713C8E000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342649898.00007FF713C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342649898.00007FF713CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342649898.00007FF713CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342649898.00007FF713CC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342649898.00007FF713CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1342741668.00007FF713CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ff713210000_xpmg.jbxd
              Similarity
              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 2933794660-0
              • Opcode ID: 454cca1ede7e80584f40fc93be870ff6eee4bb71ff6e9de45d95394c0ddd3ac7
              • Instruction ID: 2c5b2996b87e0adad332391348b47ecfd077fe57b82032d89f84dc4811139ac5
              • Opcode Fuzzy Hash: 454cca1ede7e80584f40fc93be870ff6eee4bb71ff6e9de45d95394c0ddd3ac7
              • Instruction Fuzzy Hash: 3D117032B14F068AEB40DF60E8556B873A4FB19B68F840E31EA6D577A4DF3CE1588350