Edit tour

Windows Analysis Report
1https.exe

Overview

General Information

Sample name:1https.exe
Analysis ID:1645365
MD5:3f6dd6c85f9e9a02fdea20076f69b66d
SHA1:378b9c81eaa3cb51179a436ecb293d4da46fb66a
SHA256:89b49994b3ab46875d0128673c87f15854bee5aff7ed13a812035c91a988636c
Infos:

Detection

Sliver
Score:64
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
Creates a process in suspended mode (likely to inject code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • 1https.exe (PID: 3644 cmdline: "C:\Users\user\Desktop\1https.exe" MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
  • rundll32.exe (PID: 1312 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cmd.exe (PID: 1968 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 1https.exe (PID: 4152 cmdline: 1https.exe MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
    • 1https.exe (PID: 3540 cmdline: 1https.exe /? MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
    • 1https.exe (PID: 5280 cmdline: 1https.exe -? MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
No configs have been found
SourceRuleDescriptionAuthorStrings
1https.exeJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    1https.exeMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0xcf923f:$a1: ).RequestResend
    • 0xce83a8:$a2: ).GetPrivInfo
    1https.exeINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
    • 0xa2bbb3:$s3: .WGTCPForwarder
    • 0xa2c86c:$s3: .WGTCPForwarder
    • 0xa2d825:$s3: .WGTCPForwarder
    • 0xa2e8d1:$s3: .WGTCPForwarder
    • 0xa3030d:$s3: .WGTCPForwarder
    • 0xa310f7:$s3: .WGTCPForwarder
    • 0xa293e7:$s6: .BackdoorReq
    • 0xa2baff:$s7: .ProcessDumpReq
    • 0xa2df5a:$s8: .InvokeSpawnDllReq
    • 0xa257a1:$s9: .SpawnDll
    • 0xa29546:$s9: .SpawnDll
    SourceRuleDescriptionAuthorStrings
    00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
        00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
          00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
            00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
              Click to see the 10 entries
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 1https.exeVirustotal: Detection: 72%Perma Link
              Source: 1https.exeReversingLabs: Detection: 64%
              Source: 1https.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: marnyonline.com
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cv=65202q943&h=HTTP/1.1
              Source: 1https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gt=z2744p8252&j=HTTP/1.1
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i_=77g17927z1&t=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://k=256l71421&ss=HTTP/1.1
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com
              Source: 1https.exe, 00000000.00000003.2165989054.000001134EEA3000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13087000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00037C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u27
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php
              Source: 1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?
              Source: 1https.exe, 00000000.00000002.2481363679.000000C000132000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=764
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00001A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonli
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp32
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.0
              Source: 1https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83
              Source: 1https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.0
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t8
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y0
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.php
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comWinHttpGetProxyForUrl
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://marnyonline.comtime:
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://namespacessamples.phpBye
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ei=2744o8252&j=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com
              Source: 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252P
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.htmldiffie-hellman-group14-sha256
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.php
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/api.phphttps://marnyonline.com/api.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc
              Source: 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.php
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.com
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443%
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538
              Source: 1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m
              Source: 1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?N
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785
              Source: 1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.html?w
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.php
              Source: 1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin
              Source: 1https.exe, 00000000.00000002.2485551869.000000C00040E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=54
              Source: 1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts
              Source: 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comWinHttpGetProxyForUrl9
              Source: 1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comage-encryption.org/v1
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1
              Source: 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttp://marnyonline.com
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin
              Source: 1https.exe, 00000010.00000002.2480062469.000000C0001A8000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2481682720.000000C0001A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com
              Source: 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:
              Source: 1https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o=517793ab0&ug=HTTP/1.1
              Source: 1https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pt=27d4e48252&r=HTTP/1.1
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
              Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
              Source: 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_6cf350bb-c

              System Summary

              barindex
              Source: 1https.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: 1https.exe, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
              Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
              Source: 1https.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: 1https.exe, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
              Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
              Source: classification engineClassification label: mal64.troj.winEXE@10/0@1/1
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\99e7913ee4f49540564594f4f7cf2a36295fa30e35adbd76f6119f32a5c99a4eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\35af682c01dcc1ef287081200d56e09da30522658d21b7b74e5f24e0befb8913AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\c4f65d6aad1ebb8e70058051d93c5e57e94b72eae3b38f553b4833ef76db68e8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: C:\Users\user\Desktop\1https.exeFile opened: C:\Windows\system32\5470abc561522d8e551d89efe8c92ab5e05113fadb1bc0ebb57d1b0f6e424701AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: 1https.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1https.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: 1https.exeVirustotal: Detection: 72%
              Source: 1https.exeReversingLabs: Detection: 64%
              Source: C:\Users\user\Desktop\1https.exeFile read: C:\Users\user\Desktop\1https.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1https.exe "C:\Users\user\Desktop\1https.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?Jump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1https.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: 1https.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 1https.exeStatic file information: File size 17320960 > 1048576
              Source: 1https.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa05600
              Source: 1https.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x60fa00
              Source: 1https.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 1https.exeStatic PE information: section name: .symtab
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 424Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 3116Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 676Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1https.exe TID: 6016Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
              Source: 1https.exe, 00000000.00000002.2487235473.000001134EE78000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13095000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BC03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe /?Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\1https.exe 1https.exe -?Jump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1https.exeQueries volume information: C:\Users\user\Desktop\1https.exe VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 1https.exe, type: SAMPLE
              Source: Yara matchFile source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 4152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 5280, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 1https.exe, type: SAMPLE
              Source: Yara matchFile source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 4152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 1https.exe PID: 5280, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading
              11
              Process Injection
              1
              Virtualization/Sandbox Evasion
              11
              Input Capture
              1
              Security Software Discovery
              Remote Services11
              Input Capture
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              Rundll32
              LSASS Memory1
              Virtualization/Sandbox Evasion
              Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection
              Security Account Manager2
              File and Directory Discovery
              SMB/Windows Admin SharesData from Network Shared Drive2
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDS11
              System Information Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645365 Sample: 1https.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 64 22 marnyonline.com 2->22 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Sliver Implants 2->30 7 cmd.exe 1 2->7         started        9 1https.exe 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 dnsIp5 14 1https.exe 7->14         started        16 1https.exe 7->16         started        18 1https.exe 7->18         started        20 conhost.exe 1 7->20         started        24 marnyonline.com 45.61.169.127, 443, 49713, 49714 ASN-QUADRANET-GLOBALUS United States 9->24 process6

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              1https.exe73%VirustotalBrowse
              1https.exe65%ReversingLabsWin64.Trojan.SliverMarte
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api0%Avira URL Cloudsafe
              https://pt=27d4e48252&r=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y00%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=27448252P0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k890%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u270%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.php0%Avira URL Cloudsafe
              http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/api.htmldiffie-hellman-group14-sha2560%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t80%Avira URL Cloudsafe
              https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl0%Avira URL Cloudsafe
              https://ei=2744o8252&j=HTTP/1.10%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p0%Avira URL Cloudsafe
              https://marnyonline.comhttp://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.com0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonli0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?w0%Avira URL Cloudsafe
              http://k=256l71421&ss=HTTP/1.10%Avira URL Cloudsafe
              https://o=517793ab0&ug=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?N0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.00%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin0%Avira URL Cloudsafe
              http://namespacessamples.phpBye0%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam0%Avira URL Cloudsafe
              http://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/api.php0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n27850%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m830%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?0%Avira URL Cloudsafe
              http://cv=65202q943&h=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.html0%Avira URL Cloudsafe
              https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/0%Avira URL Cloudsafe
              http://gt=z2744p8252&j=HTTP/1.10%Avira URL Cloudsafe
              https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts0%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=540%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.00%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443%0%Avira URL Cloudsafe
              https://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.php0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n0%Avira URL Cloudsafe
              http://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc0%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/api.phphttps://marnyonline.com/api.html?0%Avira URL Cloudsafe
              http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-0%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=7640%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp320%Avira URL Cloudsafe
              https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin0%Avira URL Cloudsafe
              https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin0%Avira URL Cloudsafe
              http://marnyonline.com0%Avira URL Cloudsafe
              https://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=274482520%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm5380%Avira URL Cloudsafe
              http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU0%Avira URL Cloudsafe
              http://marnyonline.com/php/oauth/samples.php0%Avira URL Cloudsafe
              https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr0%Avira URL Cloudsafe
              http://marnyonline.comWinHttpGetProxyForUrl0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v10%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.html0%Avira URL Cloudsafe
              http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php0%Avira URL Cloudsafe
              https://marnyonline.com/api.html?0%Avira URL Cloudsafe
              https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:800%Avira URL Cloudsafe
              https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com0%Avira URL Cloudsafe
              http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.0%Avira URL Cloudsafe
              http://marnyonline.com/0%Avira URL Cloudsafe
              https://marnyonline.comWinHttpGetProxyForUrl90%Avira URL Cloudsafe
              http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html0%Avira URL Cloudsafe
              http://i_=77g17927z1&t=HTTP/1.10%Avira URL Cloudsafe
              http://marnyonline.com/namespaces/database/samples.html?0%Avira URL Cloudsafe
              https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com0%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              marnyonline.com
              45.61.169.127
              truefalse
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                https://marnyonline.com/api.html?a=40508942&lm=27448252P1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.phphttp://marnyonline.com/api1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://pt=27d4e48252&r=HTTP/1.11https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k891https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.html?cv=65202q943&h=4020r461y01https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.com1https.exe, 00000010.00000002.2480062469.000000C0001A8000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2481682720.000000C0001A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?k=256l71421&ss=7i7179u271https.exe, 00000011.00000002.2483693954.000000C00037C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.html?1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.php1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.htmldiffie-hellman-group14-sha2561https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?gt=z2744p8252&j=9088w940t81https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.htmldiffie-hellman-group14-sha256y6=b1https.exe, 00000000.00000002.2481363679.000000C0001AA000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.html?http://marnyonline.com/php/oauth/samples.html?NO_PROXY1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.html1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ei=2744o8252&j=HTTP/1.11https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89p1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comhttp://marnyonline.com1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/http://marnyonli1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.htmlhttp://marnyonline.1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/https://marnyonline.com1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html?w1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://k=256l71421&ss=HTTP/1.11https.exe, 00000011.00000002.2483693954.000000C000336000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.php1https.exe, 00000000.00000002.2480038503.000000C00001A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://o=517793ab0&ug=HTTP/1.11https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html?N1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.phphttps://marnyonline.com/oauth2callback/api.htmlhttps:/1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm538https://m1https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?http://marnyonlin1https.exe, 00000000.00000002.2485551869.000000C00040C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.html?Mozilla/5.01https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://namespacessamples.phpBye1https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html?1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.phphttp://marnyonline.com/namespaces/database/sam1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.php1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.comtime:1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n27851https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m831https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html?1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.html1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.php1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://cv=65202q943&h=HTTP/1.11https.exe, 00000000.00000002.2480038503.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v11https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.htmlhttps://marnyonline.com/namespaces/1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://gt=z2744p8252&j=HTTP/1.11https.exe, 00000010.00000002.2480062469.000000C000086000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.html?j=3259s9314&xz=541https.exe, 00000000.00000002.2485551869.000000C00040E000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.html1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.phphttp://marnyonline.com/php/oauth/samples.html1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.html?i_=77g17927z1&t=842374m83Mozilla/5.01https.exe, 00000012.00000002.2480038517.000000C000072000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443%1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.php1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.html?n1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.comage-encryption.org/v11https.exe, 00000010.00000002.2480062469.000000C0000A8000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html?ei=2744o8252&j=551053k89http://marnyonline.comage-enc1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.php1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/oauth2/php/oauth2/db/oauth/api/php/samples.phphttp://marnyonline.com/oauth2/p1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.phphttps://marnyonline.com/api.html?1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html?pt=27d4e48252&r=775i0n2785http://marnyonline.comage-1https.exe, 00000011.00000002.2483693954.000000C00021B000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPro1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html?ab=7717c9271&m=7641https.exe, 00000000.00000002.2481363679.000000C000132000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:80sWGetExtendedUdpTableCreateToolhelp321https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/php/php/db/oauth2callback/oauth2callback/database/api.htmlhttps://marnyonlin1https.exe, 00000000.00000002.2480038503.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comhttps://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonlin1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2487235473.000001134EE6C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2488818852.000001E39FC97000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comage-encryption.org/v11https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2480038517.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.html?a=40508942&lm=274482521https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.phpO1https.exe, 00000010.00000002.2480062469.000000C0000A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?1https.exe, 00000010.00000002.2484061604.000000C00026C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/php/oauth/samples.php1https.exe, 00000000.00000002.2481363679.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/namespaces/namespaces/oauth2/samples.html?o=517793ab0&ug=37145mm5381https.exe, 00000010.00000002.2484061604.000000C000360000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/oauth2callback/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEPr1https.exe, 00000011.00000002.2480211680.000000C000076000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.comWinHttpGetProxyForUrl1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.comWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.comWinHttpGetProxyForU1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.html?a=40508942&lm=27448252http://marnyonline.comage-encryption.org/v11https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.html1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/api/namespaces/database/oauth2/php/database/api.php1https.exe, 00000011.00000002.2483693954.000000C0002E4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:801https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/api.html?1https.exe, 00000000.00000002.2485551869.000000C00041C000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/db/namespaces/api.phphttps://marnyonline.com/db/namespaces/api.htmlhttps://m1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeoutshttps://marnyonline.com1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.comWinHttpGetProxyForUrl91https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/1https.exe, 00000000.00000003.2165989054.000001134EEA3000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2486341146.0000022B13087000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000011.00000002.2480211680.000000C00007A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2481242678.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000012.00000002.2485093578.000001E21BBF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/http://marnyonline.commarnyonline.com:80tcpmarnyonline.comhttp://marnyonline.1https.exe, 00000000.00000002.2485551869.000000C00040A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000010.00000002.2480062469.000000C00008A000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/db/oauth2callback/oauth2callback/oauth/oauth2/samples.html1https.exe, 00000000.00000002.2480038503.000000C000048000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://i_=77g17927z1&t=HTTP/1.11https.exe, 00000012.00000002.2481242678.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://marnyonline.com/namespaces/database/samples.html?1https.exe, 00000012.00000002.2481242678.000000C0001BE000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.com1https.exe, 00000000.00000002.2481363679.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                45.61.169.127
                marnyonline.comUnited States
                8100ASN-QUADRANET-GLOBALUSfalse
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1645365
                Start date and time:2025-03-21 17:42:10 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 16s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1https.exe
                Detection:MAL
                Classification:mal64.troj.winEXE@10/0@1/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 184.31.69.3, 184.86.251.25, 204.79.197.222, 13.107.136.254, 52.123.128.254, 52.113.196.254, 204.79.197.254, 150.171.27.254
                • Excluded domains from analysis (whitelisted): spo-ring.msedge.net, www.bing.com, fp.msedge.net, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, otelrules.svc.static.microsoft, dual-s-ring.msedge.net, a-ring.msedge.net, crl3.digicert.com, teams-ring.msedge.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                TimeTypeDescription
                12:42:54API Interceptor10x Sleep call for process: 1https.exe modified
                No context
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                ASN-QUADRANET-GLOBALUShttp://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fgGet hashmaliciousHTMLPhisherBrowse
                • 45.61.169.110
                ATT11027.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 185.174.100.76
                http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                • 104.245.240.188
                AVISO DE COBRO DHL - 1606604473.PDF.exeGet hashmaliciousDarkCloudBrowse
                • 204.44.192.90
                splx86.elfGet hashmaliciousUnknownBrowse
                • 64.189.38.253
                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                • 104.247.172.118
                https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIWGet hashmaliciousUnknownBrowse
                • 45.61.166.78
                Factura - FAT120250320.pdf(94KB).com.exeGet hashmaliciousDarkTortilla, XWormBrowse
                • 104.245.240.123
                huawei.elfGet hashmaliciousMiraiBrowse
                • 104.223.82.201
                Play_VM-Now(bfrieden)VWAV.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 185.174.100.76
                No context
                No context
                No created / dropped files found
                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                Entropy (8bit):6.1206426879766145
                TrID:
                • Win64 Executable (generic) (12005/4) 74.95%
                • Generic Win/DOS Executable (2004/3) 12.51%
                • DOS Executable Generic (2002/1) 12.50%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                File name:1https.exe
                File size:17'320'960 bytes
                MD5:3f6dd6c85f9e9a02fdea20076f69b66d
                SHA1:378b9c81eaa3cb51179a436ecb293d4da46fb66a
                SHA256:89b49994b3ab46875d0128673c87f15854bee5aff7ed13a812035c91a988636c
                SHA512:e790eb3de997dac1f22e392afed13d9b8fc848229c8f1ccbde0c237bfa97b5a59af86b33d5b541311a2c0bcb8ab348e64cbd4d05bea3906347629204a074fc91
                SSDEEP:98304:V3s7mObQ7J2DDDUxz+zSBLlHdT29+5WxVovgp9EaXZLOxs39nD:9sKiykPkBBPT298WxVovgpu2ZrD
                TLSH:E1071A03F8951095D8B6D1B089218162FA70785C0B7973DF2B61F7B42B72BF49EBA790
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........J........"......V..."................@..............................p............`... ............................
                Icon Hash:90cececece8e8eb0
                Entrypoint:0x45d0e0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:1
                File Version Major:6
                File Version Minor:1
                Subsystem Version Major:6
                Subsystem Version Minor:1
                Import Hash:f0ea7b7844bbc5bfa9bb32efdcea957c
                Instruction
                jmp 00007FE9D52D3EA0h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                pushfd
                cld
                dec eax
                sub esp, 000000E0h
                dec eax
                mov dword ptr [esp], edi
                dec eax
                mov dword ptr [esp+08h], esi
                dec eax
                mov dword ptr [esp+10h], ebp
                dec eax
                mov dword ptr [esp+18h], ebx
                dec esp
                mov dword ptr [esp+20h], esp
                dec esp
                mov dword ptr [esp+28h], ebp
                dec esp
                mov dword ptr [esp+30h], esi
                dec esp
                mov dword ptr [esp+38h], edi
                movups dqword ptr [esp+40h], xmm6
                movups dqword ptr [esp+50h], xmm7
                inc esp
                movups dqword ptr [esp+60h], xmm0
                inc esp
                movups dqword ptr [esp+70h], xmm1
                inc esp
                movups dqword ptr [esp+00000080h], xmm2
                inc esp
                movups dqword ptr [esp+00000090h], xmm3
                inc esp
                movups dqword ptr [esp+000000A0h], xmm4
                inc esp
                movups dqword ptr [esp+000000B0h], xmm5
                inc esp
                movups dqword ptr [esp+000000C0h], xmm6
                inc esp
                movups dqword ptr [esp+000000D0h], xmm7
                dec eax
                sub esp, 30h
                dec ecx
                mov ebp, ecx
                dec ecx
                mov edi, eax
                dec eax
                mov edx, dword ptr [01056CCBh]
                dec eax
                mov edx, dword ptr [edx]
                dec eax
                cmp edx, 00000000h
                jne 00007FE9D52D7B6Eh
                dec eax
                mov eax, 00000000h
                jmp 00007FE9D52D7C33h
                dec eax
                mov edx, dword ptr [edx]
                dec eax
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x10c80000x490.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c90000x2cba8.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x10170400x148.data
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000xa0545d0xa0560070a79c4c8148653252383d98df208895unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0xa070000x60f9c00x60fa00c9ec2cdd8bd2beb43287e13d9c4c6b46unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x10170000xb04f00x42200cff480a34ba3c84cb1433ef56bfad823False0.38640122873345933data4.766100052123223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0x10c80000x4900x6002de8cfa279b681a3b3b28dc4e0b9db8cFalse0.3365885416666667data3.756870989745463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0x10c90000x2cba80x2cc009a1d445ff529b1f9ba1926f86277c092False0.13103941166201116data5.445059390091143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                .symtab0x10f60000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                DLLImport
                kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                Download Network PCAP: filteredfull

                • Total Packets: 41
                • 443 (HTTPS)
                • 80 (HTTP)
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 21, 2025 17:42:55.658092976 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658138037 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.658231020 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658620119 CET49713443192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.658637047 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.790884972 CET4434971345.61.169.127192.168.2.17
                Mar 21, 2025 17:42:55.812328100 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:55.947844028 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:56.463490009 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:56.600975037 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:57.111485958 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:57.244282961 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:57.749594927 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:57.884582043 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:42:58.386585951 CET4971480192.168.2.1745.61.169.127
                Mar 21, 2025 17:42:58.517846107 CET804971445.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.539201021 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539254904 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.539356947 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539752960 CET49975443192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.539767981 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.677695990 CET4434997545.61.169.127192.168.2.17
                Mar 21, 2025 17:43:58.686364889 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:58.819638014 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:43:59.330823898 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:43:59.464781046 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:43:59.970808983 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:00.103023052 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:00.608840942 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:00.742038012 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:01.246848106 CET4997680192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:01.380930901 CET804997645.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.587378979 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.587430000 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.587573051 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.587997913 CET49994443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.588011026 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.722455025 CET4434999445.61.169.127192.168.2.17
                Mar 21, 2025 17:44:28.738410950 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:28.871742964 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:29.373522997 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:29.506165028 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:30.009526014 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:30.141503096 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:30.644690990 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.646420002 CET4999580192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.780046940 CET804999545.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.849857092 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.849917889 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.850069046 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.850474119 CET49997443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:38.850507021 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.982496977 CET4434999745.61.169.127192.168.2.17
                Mar 21, 2025 17:44:38.994415045 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:39.126626968 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:39.628520012 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:39.759944916 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:40.268536091 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:40.399794102 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:40.905556917 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:41.036134958 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:41.543427944 CET4999880192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:41.675198078 CET804999845.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.119976044 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.120029926 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.120269060 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.121143103 CET49999443192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.121153116 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.254183054 CET4434999945.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.267765999 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:44.400511980 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:44.909871101 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:45.048017979 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:45.563858986 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:45.697731018 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:46.200892925 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:46.333267927 CET805000045.61.169.127192.168.2.17
                Mar 21, 2025 17:44:46.839962006 CET5000080192.168.2.1745.61.169.127
                Mar 21, 2025 17:44:46.972285986 CET805000045.61.169.127192.168.2.17
                TimestampSource PortDest PortSource IPDest IP
                Mar 21, 2025 17:42:55.370594025 CET5213153192.168.2.171.1.1.1
                Mar 21, 2025 17:42:55.655073881 CET53521311.1.1.1192.168.2.17
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 21, 2025 17:42:55.370594025 CET192.168.2.171.1.1.10xa0afStandard query (0)marnyonline.comA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 21, 2025 17:42:55.655073881 CET1.1.1.1192.168.2.170xa0afNo error (0)marnyonline.com45.61.169.127A (IP address)IN (0x0001)false

                Click to jump to process

                Click to jump to process

                • File
                • Network

                Click to dive into process behavior distribution

                Target ID:0
                Start time:12:42:53
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\1https.exe"
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000002.2481363679.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.1230899221.0000000001A44000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1230899221.00000000017D7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Target ID:13
                Start time:12:44:00
                Start date:21/03/2025
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Imagebase:0x7ff6f15e0000
                File size:71'680 bytes
                MD5 hash:EF3179D498793BF4234F708D3BE28633
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:14
                Start time:12:44:14
                Start date:21/03/2025
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\cmd.exe"
                Imagebase:0x7ff683fb0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:15
                Start time:12:44:14
                Start date:21/03/2025
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff62a120000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Target ID:16
                Start time:12:44:27
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000010.00000002.2484061604.000000C00024C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000010.00000002.2484061604.000000C000225000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Target ID:17
                Start time:12:44:37
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe /?
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000011.00000002.2481682720.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Target ID:18
                Start time:12:44:43
                Start date:21/03/2025
                Path:C:\Users\user\Desktop\1https.exe
                Wow64 process (32bit):false
                Commandline:1https.exe -?
                Imagebase:0xdd0000
                File size:17'320'960 bytes
                MD5 hash:3F6DD6C85F9E9A02FDEA20076F69B66D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:Go lang
                Yara matches:
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000012.00000002.2481242678.000000C000168000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                No disassembly