Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
1https.exe

Overview

General Information

Sample name:1https.exe
Analysis ID:1645365
MD5:3f6dd6c85f9e9a02fdea20076f69b66d
SHA1:378b9c81eaa3cb51179a436ecb293d4da46fb66a
SHA256:89b49994b3ab46875d0128673c87f15854bee5aff7ed13a812035c91a988636c
Infos:

Detection

Sliver
Score:64
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
Creates a process in suspended mode (likely to inject code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • 1https.exe (PID: 3644 cmdline: "C:\Users\user\Desktop\1https.exe" MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
  • rundll32.exe (PID: 1312 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cmd.exe (PID: 1968 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 1https.exe (PID: 4152 cmdline: 1https.exe MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
    • 1https.exe (PID: 3540 cmdline: 1https.exe /? MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
    • 1https.exe (PID: 5280 cmdline: 1https.exe -? MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1https.exeJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    1https.exeMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0xcf923f:$a1: ).RequestResend
    • 0xce83a8:$a2: ).GetPrivInfo
    1https.exeINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
    • 0xa2bbb3:$s3: .WGTCPForwarder
    • 0xa2c86c:$s3: .WGTCPForwarder
    • 0xa2d825:$s3: .WGTCPForwarder
    • 0xa2e8d1:$s3: .WGTCPForwarder
    • 0xa3030d:$s3: .WGTCPForwarder
    • 0xa310f7:$s3: .WGTCPForwarder
    • 0xa293e7:$s6: .BackdoorReq
    • 0xa2baff:$s7: .ProcessDumpReq
    • 0xa2df5a:$s8: .InvokeSpawnDllReq
    • 0xa257a1:$s9: .SpawnDll
    • 0xa29546:$s9: .SpawnDll

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
        00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
          00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
            00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
              Click to see the 10 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Spreading
              • Networking
              • Key, Mouse, Clipboard, Microphone and Screen Capturing
              • System Summary
              • Data Obfuscation
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • HIPS / PFW / Operating System Protection Evasion
              • Language, Device and Operating System Detection
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 1https.exeVirustotal: Detection: 72%Perma Link
              Source: 1https.exeReversingLabs: Detection: 64%
              Source: 1https.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: marnyonline.com
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cv=65202q943&h=HTTP/1.1
              Source: 1https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gt=z2744p8252&j=HTTP/1.1
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i_=77g17927z1&t=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://k=256l71421&ss=HTTP/1.1
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com
              Source: 1https.exe, 00000000.00000003.2165989054.000001134EEA3000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13087000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00037C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u27
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?
              Source: 1https.exe, 00000000.00000002.2481363679.000000C000132000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=764
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00001A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonli
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp32
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.0
              Source: 1https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83
              Source: 1https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.0
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t8
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y0
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.php
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comWinHttpGetProxyForUrl
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comtime:
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://namespacessamples.phpBye
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ei=2744o8252&j=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com
              Source: 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252P
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.htmldiffie-hellman-group14-sha256
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.php
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.phphttps://marnyonline.com/api.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.com
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443%
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?N
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?w
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.php
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=54
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts
              Source: 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHttpGetProxyForUrl9
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttp://marnyonline.com
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0001A8000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2481682720.000000C0001A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:
              Source: 1https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o=517793ab0&ug=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pt=27d4e48252&r=HTTP/1.1
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
              Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_6cf350bb-c

              System Summary

              barindex
              Source: 1https.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: 1https.exe, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
              Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: 1https.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: 1https.exe, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
              Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: classification engineClassification label: mal64.troj.winEXE@10/0@1/1
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\99e7913ee4f49540564594f4f7cf2a36295fa30e35adbd76f6119f32a5c99a4eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\35af682c01dcc1ef287081200d56e09da30522658d21b7b74e5f24e0befb8913AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\c4f65d6aad1ebb8e70058051d93c5e57e94b72eae3b38f553b4833ef76db68e8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\5470abc561522d8e551d89efe8c92ab5e05113fadb1bc0ebb57d1b0f6e424701AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: 1https.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1https.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: 1https.exeVirustotal: Detection: 72%
              Source: 1https.exeReversingLabs: Detection: 64%
              Source: C:\Users\user\Desktop\1https.exeFile read: C:\Users\user\Desktop\1https.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1https.exe "C:\Users\user\Desktop\1https.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?Jump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: 1https.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 1https.exeStatic file information: File size 17320960 > 1048576
              Source: 1https.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa05600
              Source: 1https.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x60fa00
              Source: 1https.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 1https.exeStatic PE information: section name: .symtab
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 424Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 3116Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 676Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 6016Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
              Source: 1https.exe, 00000000.00000002.2487235473.000001134EE78000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13095000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BC03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?Jump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 1https.exe, type: SAMPLE
              Source: Yara matchFile source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 4152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 5280, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 1https.exe, type: SAMPLE
              Source: Yara matchFile source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 4152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 5280, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		11
              Process Injection              		1
              Virtualization/Sandbox Evasion              		11
              Input Capture              		1
              Security Software Discovery              		Remote Services11
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Rundll32              		LSASS Memory1
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS11
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645365 Sample: 1https.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 64 22 marnyonline.com 2->22 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Sliver Implants 2->30 7 cmd.exe 1 2->7         started        9 1https.exe 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 dnsIp5 14 1https.exe 7->14         started        16 1https.exe 7->16         started        18 1https.exe 7->18         started        20 conhost.exe 1 7->20         started        24 marnyonline.com 45.61.169.127, 443, 49713, 49714 ASN-QUADRANET-GLOBALUS United States 9->24 process6

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1https.exe73%VirustotalBrowse
              1https.exe65%ReversingLabsWin64.Trojan.SliverMarte

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api0%Avira URL Cloudsafe
              https://pt=27d4e48252&r=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y00%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=27448252P0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k890%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u270%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.php0%Avira URL Cloudsafe
              http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/api.htmldiffie-hellman-group14-sha2560%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t80%Avira URL Cloudsafe
              https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl0%Avira URL Cloudsafe
              https://ei=2744o8252&j=HTTP/1.10%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p0%Avira URL Cloudsafe
              https://marnyonline.comhttp://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.com0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonli0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?w0%Avira URL Cloudsafe
              http://k=256l71421&ss=HTTP/1.10%Avira URL Cloudsafe
              https://o=517793ab0&ug=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?N0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.00%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin0%Avira URL Cloudsafe
              http://namespacessamples.phpBye0%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam0%Avira URL Cloudsafe
              http://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/api.php0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n27850%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m830%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?0%Avira URL Cloudsafe
              http://cv=65202q943&h=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html0%Avira URL Cloudsafe
              https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/0%Avira URL Cloudsafe
              http://gt=z2744p8252&j=HTTP/1.10%Avira URL Cloudsafe
              https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts0%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=540%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.00%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443%0%Avira URL Cloudsafe
              https://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.php0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n0%Avira URL Cloudsafe
              http://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/api.phphttps://marnyonline.com/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=7640%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp320%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin0%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin0%Avira URL Cloudsafe
              http://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=274482520%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm5380%Avira URL Cloudsafe
              http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr0%Avira URL Cloudsafe
              http://marnyonline.comWinHttpGetProxyForUrl0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:800%Avira URL Cloudsafe
              https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.0%Avira URL Cloudsafe
              http://marnyonline.com/0%Avira URL Cloudsafe
              https://marnyonline.comWinHttpGetProxyForUrl90%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html0%Avira URL Cloudsafe
              http://i_=77g17927z1&t=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com0%Avira URL Cloudsafe

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              marnyonline.com
              		45.61.169.127
              		truefalse
                		unknown
                NameSourceMaliciousAntivirus DetectionReputation
                https://marnyonline.com/api.html?a=40508942&lm=27448252P1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://pt=27d4e48252&r=HTTP/1.11https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k891https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y01https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com1https.exe, 00000010.00000002.2480062469.000000C0001A8000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2481682720.000000C0001A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u271https.exe, 00000011.00000002.2483693954.000000C00037C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.html?1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.php1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.htmldiffie-hellman-group14-sha2561https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t81https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.html1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ei=2744o8252&j=HTTP/1.11https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comhttp://marnyonline.com1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/http://marnyonli1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/https://marnyonline.com1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html?w1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://k=256l71421&ss=HTTP/1.11https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php1https.exe, 00000000.00000002.2480038503.000000C00001A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://o=517793ab0&ug=HTTP/1.11https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html?N1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.01https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://namespacessamples.phpBye1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html?1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.php1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.comtime:1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n27851https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m831https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.html1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://cv=65202q943&h=HTTP/1.11https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v11https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://gt=z2744p8252&j=HTTP/1.11https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=541https.exe, 00000000.00000002.2485551869.000000C00040E000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.01https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443%1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.php1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.comage-encryption.org/v11https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.php1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.phphttps://marnyonline.com/api.html?1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=7641https.exe, 00000000.00000002.2481363679.000000C000132000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp321https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comage-encryption.org/v11https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.html?a=40508942&lm=274482521https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO1https.exe, 00000010.00000002.2480062469.000000C0000A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/php/oauth/samples.php1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm5381https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.comWinHttpGetProxyForUrl1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v11https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.html1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:801https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/api.html?1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.comWinHttpGetProxyForUrl91https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/1https.exe, 00000000.00000003.2165989054.000001134EEA3000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13087000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i_=77g17927z1&t=HTTP/1.11https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://marnyonline.com/namespaces/database/samples.html?1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.61.169.127
                		marnyonline.comUnited States
                		8100ASN-QUADRANET-GLOBALUSfalse

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1645365
                Start date and time:2025-03-21 17:42:10 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 16s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1https.exe
                Detection:MAL
                Classification:mal64.troj.winEXE@10/0@1/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 184.31.69.3, 184.86.251.25, 204.79.197.222, 13.107.136.254, 52.123.128.254, 52.113.196.254, 204.79.197.254, 150.171.27.254
                • Excluded domains from analysis (whitelisted): spo-ring.msedge.net, www.bing.com, fp.msedge.net, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, otelrules.svc.static.microsoft, dual-s-ring.msedge.net, a-ring.msedge.net, crl3.digicert.com, teams-ring.msedge.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:42:54API Interceptor10x Sleep call for process: 1https.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                ASN-QUADRANET-GLOBALUShttp://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fgGet hashmaliciousHTMLPhisherBrowse
                • 45.61.169.110
                ATT11027.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 185.174.100.76
                http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                • 104.245.240.188
                AVISO DE COBRO DHL - 1606604473.PDF.exeGet hashmaliciousDarkCloudBrowse
                • 204.44.192.90
                splx86.elfGet hashmaliciousUnknownBrowse
                • 64.189.38.253
                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                • 104.247.172.118
                https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIWGet hashmaliciousUnknownBrowse
                • 45.61.166.78
                Factura - FAT120250320.pdf(94KB).com.exeGet hashmaliciousDarkTortilla, XWormBrowse
                • 104.245.240.123
                huawei.elfGet hashmaliciousMiraiBrowse
                • 104.223.82.201
                Play_VM-Now(bfrieden)VWAV.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 185.174.100.76

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                Entropy (8bit):6.1206426879766145
                TrID:
                • Win64 Executable (generic) (12005/4) 74.95%
                • Generic Win/DOS Executable (2004/3) 12.51%
                • DOS Executable Generic (2002/1) 12.50%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                File name:1https.exe
                File size:17'320'960 bytes
                MD5:3f6dd6c85f9e9a02fdea20076f69b66d
                SHA1:378b9c81eaa3cb51179a436ecb293d4da46fb66a
                SHA256:89b49994b3ab46875d0128673c87f15854bee5aff7ed13a812035c91a988636c
                SHA512:e790eb3de997dac1f22e392afed13d9b8fc848229c8f1ccbde0c237bfa97b5a59af86b33d5b541311a2c0bcb8ab348e64cbd4d05bea3906347629204a074fc91
                SSDEEP:98304:V3s7mObQ7J2DDDUxz+zSBLlHdT29+5WxVovgp9EaXZLOxs39nD:9sKiykPkBBPT298WxVovgpu2ZrD
                TLSH:E1071A03F8951095D8B6D1B089218162FA70785C0B7973DF2B61F7B42B72BF49EBA790
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........J........"......V..."................@..............................p............`... ............................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x45d0e0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:1
                File Version Major:6
                File Version Minor:1
                Subsystem Version Major:6
                Subsystem Version Minor:1
                Import Hash:f0ea7b7844bbc5bfa9bb32efdcea957c
                Instruction
                jmp 00007FE9D52D3EA0h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                pushfd
                cld
                dec eax
                sub esp, 000000E0h
                dec eax
                mov dword ptr [esp], edi
                dec eax
                mov dword ptr [esp+08h], esi
                dec eax
                mov dword ptr [esp+10h], ebp
                dec eax
                mov dword ptr [esp+18h], ebx
                dec esp
                mov dword ptr [esp+20h], esp
                dec esp
                mov dword ptr [esp+28h], ebp
                dec esp
                mov dword ptr [esp+30h], esi
                dec esp
                mov dword ptr [esp+38h], edi
                movups dqword ptr [esp+40h], xmm6
                movups dqword ptr [esp+50h], xmm7
                inc esp
                movups dqword ptr [esp+60h], xmm0
                inc esp
                movups dqword ptr [esp+70h], xmm1
                inc esp
                movups dqword ptr [esp+00000080h], xmm2
                inc esp
                movups dqword ptr [esp+00000090h], xmm3
                inc esp
                movups dqword ptr [esp+000000A0h], xmm4
                inc esp
                movups dqword ptr [esp+000000B0h], xmm5
                inc esp
                movups dqword ptr [esp+000000C0h], xmm6
                inc esp
                movups dqword ptr [esp+000000D0h], xmm7
                dec eax
                sub esp, 30h
                dec ecx
                mov ebp, ecx
                dec ecx
                mov edi, eax
                dec eax
                mov edx, dword ptr [01056CCBh]
                dec eax
                mov edx, dword ptr [edx]
                dec eax
                cmp edx, 00000000h
                jne 00007FE9D52D7B6Eh
                dec eax
                mov eax, 00000000h
                jmp 00007FE9D52D7C33h
                dec eax
                mov edx, dword ptr [edx]
                dec eax
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x10c80000x490.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c90000x2cba8.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x10170400x148.data
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000xa0545d0xa0560070a79c4c8148653252383d98df208895unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0xa070000x60f9c00x60fa00c9ec2cdd8bd2beb43287e13d9c4c6b46unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x10170000xb04f00x42200cff480a34ba3c84cb1433ef56bfad823False0.38640122873345933data4.766100052123223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0x10c80000x4900x6002de8cfa279b681a3b3b28dc4e0b9db8cFalse0.3365885416666667data3.756870989745463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0x10c90000x2cba80x2cc009a1d445ff529b1f9ba1926f86277c092False0.13103941166201116data5.445059390091143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                .symtab0x10f60000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                DLLImport
                kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                Network Behavior

                Download Network PCAP: filteredfull

                Network Port Distribution

                • Total Packets: 41
                • 443 (HTTPS)
                • 80 (HTTP)
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 21, 2025 17:42:55.658092976 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658138037 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.658231020 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658620119 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658637047 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.790884972 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.812328100 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.947844028 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:56.463490009 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:56.600975037 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:57.111485958 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:57.244282961 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:57.749594927 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:57.884582043 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:58.386585951 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:58.517846107 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.539201021 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539254904 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.539356947 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539752960 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539767981 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.677695990 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.686364889 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.819638014 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:43:59.330823898 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:59.464781046 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:43:59.970808983 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:00.103023052 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:00.608840942 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:00.742038012 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:01.246848106 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:01.380930901 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.587378979 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.587430000 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.587573051 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.587997913 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.588011026 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.722455025 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.738410950 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.871742964 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:29.373522997 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:29.506165028 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:30.009526014 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:30.141503096 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:30.644690990 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.646420002 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.780046940 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.849857092 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.849917889 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.850069046 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.850474119 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.850507021 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.982496977 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.994415045 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:39.126626968 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:39.628520012 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:39.759944916 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:40.268536091 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:40.399794102 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:40.905556917 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:41.036134958 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:41.543427944 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:41.675198078 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.119976044 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.120029926 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.120269060 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.121143103 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.121153116 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.254183054 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.267765999 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.400511980 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.909871101 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:45.048017979 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:45.563858986 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:45.697731018 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:46.200892925 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:46.333267927 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:46.839962006 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:46.972285986 CET805000045.61.169.127192.168.2.17
                TimestampSource PortDest PortSource IPDest IP
                Mar 21, 2025 17:42:55.370594025 CET5213153192.168.2.171.1.1.1
                Mar 21, 2025 17:42:55.655073881 CET53521311.1.1.1192.168.2.17

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 21, 2025 17:42:55.370594025 CET192.168.2.171.1.1.10xa0afStandard query (0)marnyonline.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 21, 2025 17:42:55.655073881 CET1.1.1.1192.168.2.170xa0afNo error (0)marnyonline.com45.61.169.127A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                • File
                • Network

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:12:42:53
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\1https.exe"
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Network Activities


                General

                Target ID:13
                Start time:12:44:00
                Start date:21/03/2025
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Imagebase:0x7ff6f15e0000
                File size:71'680 bytes
                MD5 hash:EF3179D498793BF4234F708D3BE28633
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                Thread Activities

                Show Windows behavior

                Memory Activities

                Show Windows behavior

                System Activities

                Show Windows behavior

                Windows UI Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                General

                Target ID:14
                Start time:12:44:14
                Start date:21/03/2025
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\cmd.exe"
                Imagebase:0x7ff683fb0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                General

                Target ID:15
                Start time:12:44:14
                Start date:21/03/2025
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff62a120000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Mutex Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Windows UI Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                General

                Target ID:16
                Start time:12:44:27
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Network Activities


                General

                Target ID:17
                Start time:12:44:37
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe /?
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Network Activities


                General

                Target ID:18
                Start time:12:44:43
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe -?
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Process Activities

                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Network Activities


                Disassembly

                No disassembly