Edit tour

Windows Analysis Report
GEwWDGafs9.exe

Overview

General Information

Sample name:GEwWDGafs9.exe
renamed because original name is a hash value
Original sample name:1620529d44dd56fe7beb51b1dbc75fd6.exe
Analysis ID:1647699
MD5:1620529d44dd56fe7beb51b1dbc75fd6
SHA1:b300643e88ff98aff7d889fd8c15dbdac319ad27
SHA256:0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d
Tags:exeuser-abuse_ch
Infos:

Detection

Clipboard Hijacker
Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
Joe Sandbox ML detected suspicious sample
Potentially malicious time measurement code found
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • GEwWDGafs9.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\GEwWDGafs9.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
    • cmd.exe (PID: 6276 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6420 cmdline: cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 4252 cmdline: ping localhost -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • clip.exe (PID: 3676 cmdline: C:\Users\user\AppData\Local\clip.exe MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
  • clip.exe (PID: 6652 cmdline: "C:\Users\user\AppData\Local\clip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
  • clip.exe (PID: 4456 cmdline: "C:\Users\user\AppData\Local\clip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: clip.exe PID: 3676JoeSecurity_Clipboard_Hijacker_5Yara detected Clipboard HijackerJoe Security
    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.208.159.226, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Users\user\Desktop\GEwWDGafs9.exe, Initiated: true, ProcessId: 6976, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49684
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\clip.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\GEwWDGafs9.exe, ProcessId: 6976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clip
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/5sAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Ltd0Avira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/licyAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/055556e2d441781489ce4a8b4255b/Avira URL Cloud: Label: malware
    Source: http://185.208.159.226/tAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/fAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lDAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/ithub.comAvira URL Cloud: Label: malware
    Source: http://93.88.203.34/cl/BatClipTAvira URL Cloud: Label: malware
    Source: http://185.208.159.226/Avira URL Cloud: Label: malware
    Source: http://93.88.203.34/cl/BatClipT.batAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/kAvira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lAvira URL Cloud: Label: malware
    Source: http://93.88.203.34/cl/BatClipT.bat.Avira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Avira URL Cloud: Label: malware
    Source: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/AAvira URL Cloud: Label: malware
    Source: C:\Users\user\AppData\Local\clip.exeReversingLabs: Detection: 72%
    Source: GEwWDGafs9.exeVirustotal: Detection: 42%Perma Link
    Source: GEwWDGafs9.exeReversingLabs: Detection: 72%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.8:49683 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.8:49686 version: TLS 1.2
    Source: GEwWDGafs9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\Administrator\Desktop\OneDrive\good\be1055556e2d441781489ce4a8b4255b\x64\Release\LClipper.pdb source: GEwWDGafs9.exe, clip.exe.0.dr
    Source: Binary string: C:\Users\Administrator\Desktop\OneDrive\good\be1055556e2d441781489ce4a8b4255b\x64\Release\LClipper.pdbq source: GEwWDGafs9.exe, clip.exe.0.dr

    Networking

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49684
    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49687
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1
    Source: global trafficTCP traffic: 192.168.2.8:49684 -> 185.208.159.226:8888
    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
    Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
    Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS query: name: ip-api.com
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.226
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1User-Agent: ClpBotHost: raw.githubusercontent.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1User-Agent: ClpBotHost: raw.githubusercontent.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /line/ HTTP/1.1User-Agent: ClpBotHost: ip-api.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /be1055556e2d441781489ce4a8b4255b/ HTTP/1.1User-Agent: ClpBotHost: 185.208.159.226:8888Cache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /line/ HTTP/1.1User-Agent: ClpBotHost: ip-api.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /be1055556e2d441781489ce4a8b4255b/ HTTP/1.1User-Agent: ClpBotHost: 185.208.159.226:8888Cache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: ip-api.com
    Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226/
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226/t
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/
    Source: clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/055556e2d441781489ce4a8b4255b/
    Source: clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/5s
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/A
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Ltd0
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/f
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/ithub.com
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/k
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/l
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lD
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/licy
    Source: clip.exe, 00000007.00000002.2101293456.000000FE58567000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.208.k
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://93.88.203.34/cl/BatClipT
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://93.88.203.34/cl/BatClipT.bat
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://93.88.203.34/cl/BatClipT.bat.
    Source: GEwWDGafs9.exe, clip.exe.0.drString found in binary or memory: http://ip-api.com/line/
    Source: GEwWDGafs9.exe, clip.exe.0.drString found in binary or memory: http://ip-api.com/line/RUBYUA319DD6909CD249748E8DDD964865100CUVQIdHEDDAUPJnZWAA0GAwB0DHx9J1wCVQBUAQM
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27EA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/
    Source: clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/2
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/V
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27C6000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code
    Source: clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code9
    Source: clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code:
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeM
    Source: clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodePlr
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27C6000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeWindows
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codeh
    Source: clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codem
    Source: clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/e
    Source: clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/icates
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
    Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
    Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.8:49683 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.8:49686 version: TLS 1.2
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599BCC00_2_00007FF65599BCC0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599B9000_2_00007FF65599B900
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599B2600_2_00007FF65599B260
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599BE600_2_00007FF65599BE60
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655995C400_2_00007FF655995C40
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655997A400_2_00007FF655997A40
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559978A00_2_00007FF6559978A0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599CAA00_2_00007FF65599CAA0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599F0A00_2_00007FF65599F0A0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655998E800_2_00007FF655998E80
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599EFE20_2_00007FF65599EFE2
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599BFF00_2_00007FF65599BFF0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655A329D00_2_00007FF655A329D0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599E4000_2_00007FF65599E400
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599B7600_2_00007FF65599B760
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599ED700_2_00007FF65599ED70
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599A1720_2_00007FF65599A172
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559977400_2_00007FF655997740
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599E5400_2_00007FF65599E540
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599B5A00_2_00007FF65599B5A0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559995A00_2_00007FF6559995A0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599A9B00_2_00007FF65599A9B0
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559937800_2_00007FF655993780
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF65599A1800_2_00007FF65599A180
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9E4007_2_00007FF61EB9E400
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EC329D07_2_00007FF61EC329D0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9EFE27_2_00007FF61EB9EFE2
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9BFF07_2_00007FF61EB9BFF0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB937807_2_00007FF61EB93780
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9A1807_2_00007FF61EB9A180
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9B5A07_2_00007FF61EB9B5A0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB995A07_2_00007FF61EB995A0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9A9B07_2_00007FF61EB9A9B0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB977407_2_00007FF61EB97740
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9E5407_2_00007FF61EB9E540
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9B7607_2_00007FF61EB9B760
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9ED707_2_00007FF61EB9ED70
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9A1727_2_00007FF61EB9A172
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9B9007_2_00007FF61EB9B900
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9BCC07_2_00007FF61EB9BCC0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB98E807_2_00007FF61EB98E80
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB978A07_2_00007FF61EB978A0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9CAA07_2_00007FF61EB9CAA0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9F0A07_2_00007FF61EB9F0A0
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB95C407_2_00007FF61EB95C40
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB97A407_2_00007FF61EB97A40
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9B2607_2_00007FF61EB9B260
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB9BE607_2_00007FF61EB9BE60
    Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@13/9@2/3
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\line[1].txtJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
    Source: C:\Users\user\AppData\Local\clip.exeMutant created: \Sessions\1\BaseNamedObjects\aUkJ+dUJw
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
    Source: C:\Users\user\AppData\Local\clip.exeFile created: C:\Users\user\AppData\Local\Temp\ChromiumDatagram.txtJump to behavior
    Source: GEwWDGafs9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: GEwWDGafs9.exeVirustotal: Detection: 42%
    Source: GEwWDGafs9.exeReversingLabs: Detection: 72%
    Source: GEwWDGafs9.exeString found in binary or memory: id-cmc-addExtensions
    Source: GEwWDGafs9.exeString found in binary or memory: set-addPolicy
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeFile read: C:\Users\user\Desktop\GEwWDGafs9.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\GEwWDGafs9.exe "C:\Users\user\Desktop\GEwWDGafs9.exe"
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\clip.exe C:\Users\user\AppData\Local\clip.exe
    Source: unknownProcess created: C:\Users\user\AppData\Local\clip.exe "C:\Users\user\AppData\Local\clip.exe"
    Source: unknownProcess created: C:\Users\user\AppData\Local\clip.exe "C:\Users\user\AppData\Local\clip.exe"
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\clip.exe C:\Users\user\AppData\Local\clip.exeJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: GEwWDGafs9.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: GEwWDGafs9.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: GEwWDGafs9.exeStatic file information: File size 3647488 > 1048576
    Source: GEwWDGafs9.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1be200
    Source: GEwWDGafs9.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a1200
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: GEwWDGafs9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: GEwWDGafs9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Users\Administrator\Desktop\OneDrive\good\be1055556e2d441781489ce4a8b4255b\x64\Release\LClipper.pdb source: GEwWDGafs9.exe, clip.exe.0.dr
    Source: Binary string: C:\Users\Administrator\Desktop\OneDrive\good\be1055556e2d441781489ce4a8b4255b\x64\Release\LClipper.pdbq source: GEwWDGafs9.exe, clip.exe.0.dr
    Source: GEwWDGafs9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: GEwWDGafs9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: GEwWDGafs9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: GEwWDGafs9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: GEwWDGafs9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655998317 push rax; retf 0_2_00007FF655998313
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559982FE push rax; retf 0_2_00007FF655998313
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB982FE push rax; retf 7_2_00007FF61EB98313
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB98317 push rax; retf 7_2_00007FF61EB98313
    Source: GEwWDGafs9.exeStatic PE information: section name: .text entropy: 6.863597004168995
    Source: clip.exe.0.drStatic PE information: section name: .text entropy: 6.863597004168995
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeFile created: C:\Users\user\AppData\Local\clip.exeJump to dropped file
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run clipJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run clipJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49684
    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 8888
    Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49687

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1Jump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655991330 rdtsc 0_2_00007FF655991330
    Source: C:\Users\user\AppData\Local\clip.exeWindow / User API: threadDelayed 5418Jump to behavior
    Source: C:\Users\user\AppData\Local\clip.exe TID: 2704Thread sleep count: 5418 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\clip.exe TID: 2704Thread sleep time: -108360s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\clip.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\clip.exeLast function: Thread delayed
    Source: clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0Q0
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA276C000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B0895FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
    Source: GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27FA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

    Anti Debugging

    barindex
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559913300_2_00007FF655991330
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF6559913800_2_00007FF655991380
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB913807_2_00007FF61EB91380
    Source: C:\Users\user\AppData\Local\clip.exeCode function: 7_2_00007FF61EB913307_2_00007FF61EB91330
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\clip.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655991330 rdtsc 0_2_00007FF655991330
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\clip.exe C:\Users\user\AppData\Local\clip.exeJump to behavior
    Source: C:\Users\user\Desktop\GEwWDGafs9.exeCode function: 0_2_00007FF655B17304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF655B17304

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: clip.exe PID: 3676, type: MEMORYSTR
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter
    1
    Registry Run Keys / Startup Folder
    11
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    System Time Discovery
    Remote Services1
    Archive Collected Data
    11
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Side-Loading
    1
    Registry Run Keys / Startup Folder
    3
    Virtualization/Sandbox Evasion
    LSASS Memory131
    Security Software Discovery
    Remote Desktop ProtocolData from Removable Media11
    Non-Standard Port
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading
    11
    Process Injection
    Security Account Manager3
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
    Obfuscated Files or Information
    NTDS1
    Application Window Discovery
    Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing
    LSA Secrets1
    Remote System Discovery
    SSHKeylogging3
    Application Layer Protocol
    Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading
    Cached Domain Credentials11
    System Network Configuration Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery
    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647699 Sample: GEwWDGafs9.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 92 37 raw.githubusercontent.com 2->37 39 ip-api.com 2->39 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Clipboard Hijacker 2->55 57 2 other signatures 2->57 9 GEwWDGafs9.exe 1 17 2->9         started        14 clip.exe 2->14         started        16 clip.exe 2->16         started        signatures3 process4 dnsIp5 41 ip-api.com 208.95.112.1, 49682, 49685, 80 TUT-ASUS United States 9->41 43 185.208.159.226, 49684, 49687, 8888 SIMPLECARRER2IT Switzerland 9->43 45 raw.githubusercontent.com 185.199.109.133, 443, 49683, 49686 FASTLYUS Netherlands 9->45 33 C:\Users\user\AppData\Local\clip.exe, PE32+ 9->33 dropped 35 C:\Users\user\...\clip.exe:Zone.Identifier, ASCII 9->35 dropped 65 Potentially malicious time measurement code found 9->65 18 cmd.exe 1 9->18         started        file6 signatures7 process8 signatures9 47 Uses ping.exe to sleep 18->47 49 Uses ping.exe to check the status of other devices and networks 18->49 21 cmd.exe 1 18->21         started        24 conhost.exe 18->24         started        process10 signatures11 59 Uses ping.exe to sleep 21->59 26 clip.exe 16 21->26         started        29 conhost.exe 21->29         started        31 PING.EXE 1 21->31         started        process12 signatures13 61 Multi AV Scanner detection for dropped file 26->61 63 Potentially malicious time measurement code found 26->63

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    GEwWDGafs9.exe42%VirustotalBrowse
    GEwWDGafs9.exe72%ReversingLabsWin64.Trojan.Generic
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\clip.exe72%ReversingLabsWin64.Trojan.Generic
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/5s100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Ltd0100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/licy100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/055556e2d441781489ce4a8b4255b/100%Avira URL Cloudmalware
    http://185.208.159.226/t100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/f100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lD100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/ithub.com100%Avira URL Cloudmalware
    http://93.88.203.34/cl/BatClipT100%Avira URL Cloudmalware
    http://185.208.159.226/100%Avira URL Cloudmalware
    http://93.88.203.34/cl/BatClipT.bat100%Avira URL Cloudmalware
    http://185.208.k0%Avira URL Cloudsafe
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/k100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/l100%Avira URL Cloudmalware
    http://93.88.203.34/cl/BatClipT.bat.100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/100%Avira URL Cloudmalware
    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/A100%Avira URL Cloudmalware

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    raw.githubusercontent.com
    185.199.109.133
    truefalse
      high
      ip-api.com
      208.95.112.1
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/line/false
          high
          https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codefalse
            high
            http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/false
            • Avira URL Cloud: malware
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/licyGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            unknown
            http://185.208.159.226/tGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            unknown
            http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lDclip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            unknown
            https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodehGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27C6000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/055556e2d441781489ce4a8b4255b/clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              unknown
              http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/5sclip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              unknown
              https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodePlrclip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Ltd0clip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                unknown
                https://raw.githubusercontent.com/2clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codemclip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/fclip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    unknown
                    https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code:clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code9clip.exe, 00000007.00000002.2101683642.000002B08967A000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/ithub.comclip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        https://raw.githubusercontent.com/GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27EA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://raw.githubusercontent.com/icatesclip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://185.208.159.226/GEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA283B000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            http://ip-api.com/line/RUBYUA319DD6909CD249748E8DDD964865100CUVQIdHEDDAUPJnZWAA0GAwB0DHx9J1wCVQBUAQMGEwWDGafs9.exe, clip.exe.0.drfalse
                              high
                              http://93.88.203.34/cl/BatClipTclip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/kclip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/lclip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://93.88.203.34/cl/BatClipT.batclip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeMGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeWindowsGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27C6000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2101683642.000002B089656000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://185.208.kclip.exe, 00000007.00000002.2101293456.000000FE58567000.00000004.00000010.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://raw.githubusercontent.com/VGEwWDGafs9.exe, 00000000.00000002.885114020.0000024FA27EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://185.208.159.226:8888/be1055556e2d441781489ce4a8b4255b/Aclip.exe, 00000007.00000002.2101683642.000002B0896D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://raw.githubusercontent.com/eclip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://93.88.203.34/cl/BatClipT.bat.clip.exe, 00000007.00000002.2101683642.000002B0896B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.208.159.226
                                      unknownSwitzerland
                                      34888SIMPLECARRER2ITfalse
                                      208.95.112.1
                                      ip-api.comUnited States
                                      53334TUT-ASUSfalse
                                      185.199.109.133
                                      raw.githubusercontent.comNetherlands
                                      54113FASTLYUSfalse
                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1647699
                                      Start date and time:2025-03-25 07:25:33 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:20
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:GEwWDGafs9.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:1620529d44dd56fe7beb51b1dbc75fd6.exe
                                      Detection:MAL
                                      Classification:mal92.troj.spyw.evad.winEXE@13/9@2/3
                                      EGA Information:Failed
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53, 23.204.23.20
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target GEwWDGafs9.exe, PID 6976 because there are no executed function
                                      • Execution Graph export aborted for target clip.exe, PID 3676 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      TimeTypeDescription
                                      02:27:19API Interceptor3926x Sleep call for process: clip.exe modified
                                      07:26:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run clip C:\Users\user\AppData\Local\clip.exe
                                      07:26:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run clip C:\Users\user\AppData\Local\clip.exe
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.208.159.2261776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                      • 185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/
                                      V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                      • 185.208.159.226:8888/921f83fca6994291b4bc3aa90673460d/
                                      208.95.112.1BootstrapperNew.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      VerifiedCleanAsset.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • ip-api.com/json/?fields=225545
                                      VerifiedAssetLeaks.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • ip-api.com/json/?fields=225545
                                      Shibas-paid-menu.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      fe.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      fuckingxworm (1).exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      general.ps1Get hashmaliciousKdot StealerBrowse
                                      • ip-api.com/json/
                                      doc20250319-00812.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      POP_Swift_Copy_MTC78362-N70002.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • ip-api.com/line/?fields=hosting
                                      OC 005197.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      185.199.109.133cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      gabe.ps1Get hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                      SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      raw.githubusercontent.comZ0avmyWNpj.exeGet hashmaliciousNanocoreBrowse
                                      • 185.199.110.133
                                      XoilaFixer.exeGet hashmaliciousXWormBrowse
                                      • 185.199.111.133
                                      XoilaFixer.exeGet hashmaliciousXWormBrowse
                                      • 185.199.111.133
                                      LauncherV8.exeGet hashmaliciousLummaC Stealer, Salat StealerBrowse
                                      • 185.199.109.133
                                      iwr.batGet hashmaliciousQuasarBrowse
                                      • 185.199.110.133
                                      setup.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      setup.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.108.133
                                      https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dllGet hashmaliciousUnknownBrowse
                                      • 185.199.108.133
                                      GADAR.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.110.133
                                      GADAR.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.108.133
                                      ip-api.comBootstrapperNew.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      VerifiedCleanAsset.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • 208.95.112.1
                                      VerifiedAssetLeaks.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • 208.95.112.1
                                      Shibas-paid-menu.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      fe.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      fuckingxworm (1).exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      general.ps1Get hashmaliciousKdot StealerBrowse
                                      • 208.95.112.1
                                      doc20250319-00812.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      POP_Swift_Copy_MTC78362-N70002.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • 208.95.112.1
                                      OC 005197.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      FASTLYUShttps://wetransfer.com/downloads/c8bc27df5dfd7191ef8f37cb3c6ac00d20250224065100/d32c95a77eed5b4a4b71cf1d195e388b20250224065134/2b0e6a?t_exp=1740984660&t_lsid=1b177f95-6705-4fde-b25f-deb1d43f0838&t_network=email&t_rid=ZW1haWx8Njc1NDBjYWZiNjM1NTFjNmY2NTBhM2Rl&t_s=download_link&t_ts=1740379894&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                      • 151.101.65.229
                                      Z0avmyWNpj.exeGet hashmaliciousNanocoreBrowse
                                      • 185.199.110.133
                                      https://jainiklifesciences.com/proposalsGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.1.229
                                      https://jainiklifesciences.com/proposalsGet hashmaliciousUnknownBrowse
                                      • 151.101.193.229
                                      https://url.us.m.mimecastprotect.com/s/nZZ9Crkg3MtnDD2GHzh7U48vkg?domain=orangeconnection.orgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                      • 151.101.130.137
                                      https://sallybarmescounsellor.co.uk/pad4.pdfGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                      • 151.101.194.137
                                      http://nicholsoncop.com/Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                      • 151.101.130.137
                                      http://mvvx.364055.infolifestyleku.com/rd/4jCxrf5801vTpm700nbgngwwdyb7063ADZCSOTQLCDWSON63806GPPL40170Q13Get hashmaliciousUnknownBrowse
                                      • 151.101.194.132
                                      #Ud83d#Udd0aAudio_Msg Overlakehospital.xhtmlGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      secured audio__acgsys.com_4960914060.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                      • 185.199.108.133
                                      TUT-ASUSBootstrapperNew.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      VerifiedCleanAsset.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • 208.95.112.1
                                      VerifiedAssetLeaks.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                      • 208.95.112.1
                                      Shibas-paid-menu.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      fe.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      fuckingxworm (1).exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      general.ps1Get hashmaliciousKdot StealerBrowse
                                      • 208.95.112.1
                                      doc20250319-00812.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      POP_Swift_Copy_MTC78362-N70002.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • 208.95.112.1
                                      OC 005197.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      SIMPLECARRER2ITL1CsEGkjMQ.exeGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37
                                      book.exeGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37
                                      0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                      • 185.208.159.170
                                      1099-NEC.pdfGet hashmaliciousRHADAMANTHYSBrowse
                                      • 185.208.159.170
                                      https://securefilepro.netlify.app/#Amanda_Taylor_Tax_Document_2024.pdfGet hashmaliciousRHADAMANTHYSBrowse
                                      • 185.208.159.170
                                      1776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                      • 185.208.159.226
                                      SecuriteInfo.com.W32.PossibleThreat.23653.11848.exeGet hashmaliciousSliverBrowse
                                      • 185.196.8.88
                                      V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                      • 185.208.159.226
                                      logrotateGet hashmaliciousXmrigBrowse
                                      • 185.196.8.41
                                      http://analysiscache.comGet hashmaliciousUnknownBrowse
                                      • 185.208.158.121
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e19Employee Satisfaction Survey 2025.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 185.199.109.133
                                      Quotation ECDXB0007432025CJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 185.199.109.133
                                      3jEg2t38ra.exeGet hashmaliciousLummaC Stealer, Stealc, VidarBrowse
                                      • 185.199.109.133
                                      JpPY0mRA9f.exeGet hashmaliciousVidarBrowse
                                      • 185.199.109.133
                                      AjRfCGo2mb.exeGet hashmaliciousVidarBrowse
                                      • 185.199.109.133
                                      cfKieT3lkP.exeGet hashmaliciousVidarBrowse
                                      • 185.199.109.133
                                      CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      jn8DY8kfrM.msiGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      rIMG523000010722100013267543polyhalogen.batGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 185.199.109.133
                                      65W20 mokapto Siparisi.pdf.exeGet hashmaliciousGuLoaderBrowse
                                      • 185.199.109.133
                                      No context
                                      Process:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):21
                                      Entropy (8bit):3.010434089033337
                                      Encrypted:false
                                      SSDEEP:3:EQj7UFXDf/:EQnUtDf/
                                      MD5:92D65DE01D0749FDA422A3CA9DFFD46B
                                      SHA1:59D246850168572359D67DAE5F246C4CF9C4D3E5
                                      SHA-256:F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4
                                      SHA-512:29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1
                                      Malicious:false
                                      Reputation:low
                                      Preview:185.208.159.226:8888.
                                      Process:C:\Users\user\AppData\Local\clip.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):5
                                      Entropy (8bit):1.9219280948873623
                                      Encrypted:false
                                      SSDEEP:3:6:6
                                      MD5:A01AB5C0FF81A60B7D1CEA84CC7DCB7A
                                      SHA1:D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0
                                      SHA-256:53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232
                                      SHA-512:F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:"pro"
                                      Process:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):5
                                      Entropy (8bit):1.9219280948873623
                                      Encrypted:false
                                      SSDEEP:3:6:6
                                      MD5:A01AB5C0FF81A60B7D1CEA84CC7DCB7A
                                      SHA1:D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0
                                      SHA-256:53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232
                                      SHA-512:F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82
                                      Malicious:false
                                      Preview:"pro"
                                      Process:C:\Users\user\AppData\Local\clip.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):188
                                      Entropy (8bit):5.274666513385075
                                      Encrypted:false
                                      SSDEEP:3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2
                                      MD5:1EA47DE0DA2E131CA0E18A1874B913E1
                                      SHA1:3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F
                                      SHA-256:3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D
                                      SHA-512:9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB
                                      Malicious:false
                                      Preview:success.United States.US.MA.Massachusetts.Springfield.01101.42.0986.-72.5931.America/New_York.CROCKER COMMUNICATIONS, INCORPORATED..AS7849 CROCKER COMMUNICATIONS, INCORPORATED.161.77.13.2.
                                      Process:C:\Users\user\AppData\Local\clip.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):21
                                      Entropy (8bit):3.010434089033337
                                      Encrypted:false
                                      SSDEEP:3:EQj7UFXDf/:EQnUtDf/
                                      MD5:92D65DE01D0749FDA422A3CA9DFFD46B
                                      SHA1:59D246850168572359D67DAE5F246C4CF9C4D3E5
                                      SHA-256:F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4
                                      SHA-512:29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1
                                      Malicious:false
                                      Preview:185.208.159.226:8888.
                                      Process:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):188
                                      Entropy (8bit):5.274666513385075
                                      Encrypted:false
                                      SSDEEP:3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2
                                      MD5:1EA47DE0DA2E131CA0E18A1874B913E1
                                      SHA1:3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F
                                      SHA-256:3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D
                                      SHA-512:9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB
                                      Malicious:false
                                      Preview:success.United States.US.MA.Massachusetts.Springfield.01101.42.0986.-72.5931.America/New_York.CROCKER COMMUNICATIONS, INCORPORATED..AS7849 CROCKER COMMUNICATIONS, INCORPORATED.161.77.13.2.
                                      Process:C:\Users\user\AppData\Local\clip.exe
                                      File Type:very short file (no magic)
                                      Category:modified
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:V:V
                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                      Malicious:false
                                      Preview:0
                                      Process:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):3647488
                                      Entropy (8bit):7.31524678352141
                                      Encrypted:false
                                      SSDEEP:49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN
                                      MD5:1620529D44DD56FE7BEB51B1DBC75FD6
                                      SHA1:B300643E88FF98AFF7D889FD8C15DBDAC319AD27
                                      SHA-256:0C32FE825A579830125C18D53460860500723372977F20EB40121E687706447D
                                      SHA-512:918C8DAA0BD3B1C61C28A63CBD8A13740FBFE81DA731F94C9CD85D6A3E306A8C39499C00B8E1BEB2B4862949A35A607050A83E2C106449F88989BB47DBB13196
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 72%
                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................-.......................................................................a......a......a......Rich............................PE..d......g.........."....*.....&.......k.........@.............................P8...........`.................................................|.5.......7.......6.L.............7.T[..@.4.p.....................4.(.....4.@............................................text............................... ..`.rdata..............................@..@.data........ 6..D....5.............@....pdata..L.....6......<6.............@..@.rsrc.........7......J7.............@..@.reloc..T[....7..\...L7.............@..B........................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0
                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):7.31524678352141
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:GEwWDGafs9.exe
                                      File size:3'647'488 bytes
                                      MD5:1620529d44dd56fe7beb51b1dbc75fd6
                                      SHA1:b300643e88ff98aff7d889fd8c15dbdac319ad27
                                      SHA256:0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d
                                      SHA512:918c8daa0bd3b1c61c28a63cbd8a13740fbfe81da731f94c9cd85d6a3e306a8c39499c00b8e1beb2b4862949a35a607050a83e2c106449f88989bb47dbb13196
                                      SSDEEP:49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN
                                      TLSH:EAF5D016B3A900E9D87BC13CD9964133E7F2B86917B0ABDB02A486751F237E15E3E741
                                      File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................-...................................................................................a.......a......
                                      Icon Hash:90cececece8e8eb0
                                      Entrypoint:0x140186b90
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x67DC11D4 [Thu Mar 20 13:02:12 2025 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:290b5b74ed388a2f4e81683b8fd40b54
                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      call 00007F96CCC26520h
                                      dec eax
                                      add esp, 28h
                                      jmp 00007F96CCC25C27h
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov ebx, ecx
                                      dec eax
                                      lea ecx, dword ptr [001E40ACh]
                                      call dword ptr [000397A6h]
                                      mov eax, dword ptr [001DD294h]
                                      dec eax
                                      lea ecx, dword ptr [001E4099h]
                                      mov edx, dword ptr [001E40B3h]
                                      inc eax
                                      mov dword ptr [001DD27Fh], eax
                                      mov dword ptr [ebx], eax
                                      dec eax
                                      mov eax, dword ptr [00000058h]
                                      inc ecx
                                      mov ecx, 00000004h
                                      dec esp
                                      mov eax, dword ptr [eax+edx*8]
                                      mov eax, dword ptr [001DD264h]
                                      inc ebx
                                      mov dword ptr [ecx+eax], eax
                                      call dword ptr [0003975Eh]
                                      dec eax
                                      lea ecx, dword ptr [001E4057h]
                                      dec eax
                                      add esp, 20h
                                      pop ebx
                                      dec eax
                                      jmp dword ptr [0003975Bh]
                                      int3
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov ebx, ecx
                                      dec eax
                                      lea ecx, dword ptr [001E4040h]
                                      call dword ptr [0003973Ah]
                                      cmp dword ptr [ebx], 00000000h
                                      jne 00007F96CCC25DD4h
                                      or dword ptr [ebx], FFFFFFFFh
                                      jmp 00007F96CCC25DF7h
                                      inc ebp
                                      xor ecx, ecx
                                      dec eax
                                      lea edx, dword ptr [001E4026h]
                                      inc ecx
                                      or eax, FFFFFFFFh
                                      dec eax
                                      lea ecx, dword ptr [001E4013h]
                                      call dword ptr [00039725h]
                                      jmp 00007F96CCC25D8Bh
                                      cmp dword ptr [ebx], FFFFFFFFh
                                      je 00007F96CCC25D90h
                                      dec eax
                                      mov eax, dword ptr [00000058h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x35fc7c0xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x37e0000x1e0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x36d0000x10d4c.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x37f0000x5b54.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x349b400x70.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x349d800x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x349a000x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x1c00000x5f0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x1be1a80x1be200951a2818cb35d888f0328c24228da5caFalse0.509161464170636data6.863597004168995IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x1c00000x1a11180x1a120063c0896633c5c28e53d61096ad78e931False0.806784607244531data7.4840729170019324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x3620000xa7840x44008a1f892dad06a25a77fabdb68fc06bb6False0.21501608455882354data3.5834068164514687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x36d0000x10d4c0x10e0064dfbe7fcbdd866b13f09b8faf1d2599False0.4862123842592593data6.133896963177395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x37e0000x1e00x2008596ef18191b12d8e3bec098ab630c55False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x37f0000x5b540x5c008375a0b81e17169769d398ecedce2451False0.27377717391304346data5.4476242894253515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_MANIFEST0x37e0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                      DLLImport
                                      KERNEL32.dllCheckRemoteDebuggerPresent, GlobalMemoryStatusEx, SetFileAttributesA, GetSystemInfo, CloseHandle, GlobalAlloc, CreateFileA, OpenMutexA, CopyFileA, SetEndOfFile, WriteConsoleW, GetTimeZoneInformation, GetTempPathA, Sleep, CreateFileW, CreateMutexA, DeviceIoControl, WriteFile, GetCurrentProcess, GetModuleFileNameA, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SetStdHandle, HeapSize, CreateProcessW, GetExitCodeProcess, WaitForSingleObject, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetLastError, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetStdHandle, GetEnvironmentVariableW, GetFileType, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, RtlVirtualUnwind, DeleteFiber, WideCharToMultiByte, GetCurrentProcessId, GetSystemTimeAsFileTime, ConvertFiberToThread, FreeLibrary, LoadLibraryA, LoadLibraryW, FindClose, FindFirstFileW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, GetLocaleInfoEx, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, SetFileInformationByHandle, AreFileApisANSI, GetFileInformationByHandleEx, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, ExitProcess, SetConsoleCtrlHandler, ReadFile, GetDriveTypeW, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, RtlUnwind
                                      USER32.dllGetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetProcessWindowStation, SetClipboardData, GetClipboardSequenceNumber, GetUserObjectInformationW, MessageBoxW
                                      ADVAPI32.dllCryptGetUserKey, CryptGetProvParam, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, CryptSignHashW, CryptEnumProvidersW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, CryptSetHashParam, RegCreateKeyA, RegSetValueExA
                                      SHELL32.dllShellExecuteA
                                      bcrypt.dllBCryptGenRandom
                                      WININET.dllInternetOpenA, InternetCloseHandle, InternetReadFile, InternetOpenUrlA
                                      CRYPT32.dllCertEnumCertificatesInStore, CertFindCertificateInStore, CertOpenStore, CertFreeCertificateContext, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertCloseStore
                                      WS2_32.dllWSACleanup, WSAGetLastError, closesocket, recv, send, WSASetLastError
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Download Network PCAP: filteredfull

                                      • Total Packets: 54
                                      • 8888 undefined
                                      • 443 (HTTPS)
                                      • 80 (HTTP)
                                      • 53 (DNS)
                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 25, 2025 07:26:26.718952894 CET4968280192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:26.813668966 CET8049682208.95.112.1192.168.2.8
                                      Mar 25, 2025 07:26:26.813771009 CET4968280192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:26.815188885 CET4968280192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:26.910465002 CET8049682208.95.112.1192.168.2.8
                                      Mar 25, 2025 07:26:26.910532951 CET4968280192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:27.023761988 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.023819923 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.023881912 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.035331964 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.035367012 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.228266001 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.228384018 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.281060934 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.281085968 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.281407118 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.281476021 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.283377886 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.328320026 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.487737894 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.487863064 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.487903118 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.487932920 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.498131037 CET49683443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:27.498155117 CET44349683185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:27.532895088 CET496848888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:27.721704960 CET888849684185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:27.721828938 CET496848888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:27.722089052 CET496848888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:27.912578106 CET888849684185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:28.349659920 CET888849684185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:28.351490974 CET496848888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:29.377808094 CET4968280192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:29.378031015 CET496848888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:29.586247921 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:29.680787086 CET8049685208.95.112.1192.168.2.8
                                      Mar 25, 2025 07:26:29.680874109 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:29.681133986 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:29.777448893 CET8049685208.95.112.1192.168.2.8
                                      Mar 25, 2025 07:26:29.777590990 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:26:29.852574110 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:29.852612972 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:29.852849007 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:29.860055923 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:29.860066891 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.044181108 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.044250965 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.047730923 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.047739029 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.047985077 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.048149109 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.049567938 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.096330881 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.226344109 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.226408958 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.226423025 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.226485014 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.226490974 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.226532936 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.227405071 CET49686443192.168.2.8185.199.109.133
                                      Mar 25, 2025 07:26:30.227421045 CET44349686185.199.109.133192.168.2.8
                                      Mar 25, 2025 07:26:30.242181063 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:30.429246902 CET888849687185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:30.429332018 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:30.429550886 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:30.621689081 CET888849687185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:30.844842911 CET888849687185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:30.844924927 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:26:35.842587948 CET888849687185.208.159.226192.168.2.8
                                      Mar 25, 2025 07:26:35.842719078 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:27:28.676240921 CET8049685208.95.112.1192.168.2.8
                                      Mar 25, 2025 07:27:28.676419973 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:19.518838882 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:28:19.519489050 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:19.831159115 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:19.987356901 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:28:20.440500975 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:20.924940109 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:28:21.643703938 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:22.799839973 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:28:24.049817085 CET4968580192.168.2.8208.95.112.1
                                      Mar 25, 2025 07:28:26.549841881 CET496878888192.168.2.8185.208.159.226
                                      Mar 25, 2025 07:28:28.862452984 CET4968580192.168.2.8208.95.112.1
                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 25, 2025 07:26:26.602444887 CET5790153192.168.2.81.1.1.1
                                      Mar 25, 2025 07:26:26.703915119 CET53579011.1.1.1192.168.2.8
                                      Mar 25, 2025 07:26:26.921256065 CET6134553192.168.2.81.1.1.1
                                      Mar 25, 2025 07:26:27.022706032 CET53613451.1.1.1192.168.2.8
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 25, 2025 07:26:26.602444887 CET192.168.2.81.1.1.10x75c0Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Mar 25, 2025 07:26:26.921256065 CET192.168.2.81.1.1.10x5505Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 25, 2025 07:26:26.703915119 CET1.1.1.1192.168.2.80x75c0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Mar 25, 2025 07:26:27.022706032 CET1.1.1.1192.168.2.80x5505No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                      Mar 25, 2025 07:26:27.022706032 CET1.1.1.1192.168.2.80x5505No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                      Mar 25, 2025 07:26:27.022706032 CET1.1.1.1192.168.2.80x5505No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                      Mar 25, 2025 07:26:27.022706032 CET1.1.1.1192.168.2.80x5505No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                      • raw.githubusercontent.com
                                      • ip-api.com
                                      • 185.208.159.226:8888
                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849682208.95.112.1806976C:\Users\user\Desktop\GEwWDGafs9.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 25, 2025 07:26:26.815188885 CET86OUTGET /line/ HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: ip-api.com
                                      Cache-Control: no-cache
                                      Mar 25, 2025 07:26:26.910465002 CET359INHTTP/1.1 200 OK
                                      Date: Tue, 25 Mar 2025 06:26:25 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 188
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 73 75 63 63 65 73 73 0a 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 55 53 0a 4d 41 0a 4d 61 73 73 61 63 68 75 73 65 74 74 73 0a 53 70 72 69 6e 67 66 69 65 6c 64 0a 30 31 31 30 31 0a 34 32 2e 30 39 38 36 0a 2d 37 32 2e 35 39 33 31 0a 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 0a 43 52 4f 43 4b 45 52 20 43 4f 4d 4d 55 4e 49 43 41 54 49 4f 4e 53 2c 20 49 4e 43 4f 52 50 4f 52 41 54 45 44 0a 0a 41 53 37 38 34 39 20 43 52 4f 43 4b 45 52 20 43 4f 4d 4d 55 4e 49 43 41 54 49 4f 4e 53 2c 20 49 4e 43 4f 52 50 4f 52 41 54 45 44 0a 31 36 31 2e 37 37 2e 31 33 2e 32 0a
                                      Data Ascii: successUnited StatesUSMAMassachusettsSpringfield0110142.0986-72.5931America/New_YorkCROCKER COMMUNICATIONS, INCORPORATEDAS7849 CROCKER COMMUNICATIONS, INCORPORATED161.77.13.2


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.849684185.208.159.22688886976C:\Users\user\Desktop\GEwWDGafs9.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 25, 2025 07:26:27.722089052 CET124OUTGET /be1055556e2d441781489ce4a8b4255b/ HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: 185.208.159.226:8888
                                      Cache-Control: no-cache
                                      Mar 25, 2025 07:26:28.349659920 CET129INHTTP/1.1 200 OK
                                      date: Tue, 25 Mar 2025 06:26:27 GMT
                                      server: uvicorn
                                      content-length: 5
                                      content-type: application/json
                                      Data Raw: 22 70 72 6f 22
                                      Data Ascii: "pro"


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.849685208.95.112.1803676C:\Users\user\AppData\Local\clip.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 25, 2025 07:26:29.681133986 CET86OUTGET /line/ HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: ip-api.com
                                      Cache-Control: no-cache
                                      Mar 25, 2025 07:26:29.777448893 CET359INHTTP/1.1 200 OK
                                      Date: Tue, 25 Mar 2025 06:26:28 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 188
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 57
                                      X-Rl: 43
                                      Data Raw: 73 75 63 63 65 73 73 0a 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 55 53 0a 4d 41 0a 4d 61 73 73 61 63 68 75 73 65 74 74 73 0a 53 70 72 69 6e 67 66 69 65 6c 64 0a 30 31 31 30 31 0a 34 32 2e 30 39 38 36 0a 2d 37 32 2e 35 39 33 31 0a 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 0a 43 52 4f 43 4b 45 52 20 43 4f 4d 4d 55 4e 49 43 41 54 49 4f 4e 53 2c 20 49 4e 43 4f 52 50 4f 52 41 54 45 44 0a 0a 41 53 37 38 34 39 20 43 52 4f 43 4b 45 52 20 43 4f 4d 4d 55 4e 49 43 41 54 49 4f 4e 53 2c 20 49 4e 43 4f 52 50 4f 52 41 54 45 44 0a 31 36 31 2e 37 37 2e 31 33 2e 32 0a
                                      Data Ascii: successUnited StatesUSMAMassachusettsSpringfield0110142.0986-72.5931America/New_YorkCROCKER COMMUNICATIONS, INCORPORATEDAS7849 CROCKER COMMUNICATIONS, INCORPORATED161.77.13.2


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.849687185.208.159.22688883676C:\Users\user\AppData\Local\clip.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 25, 2025 07:26:30.429550886 CET124OUTGET /be1055556e2d441781489ce4a8b4255b/ HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: 185.208.159.226:8888
                                      Cache-Control: no-cache
                                      Mar 25, 2025 07:26:30.844842911 CET129INHTTP/1.1 200 OK
                                      date: Tue, 25 Mar 2025 06:26:30 GMT
                                      server: uvicorn
                                      content-length: 5
                                      content-type: application/json
                                      Data Raw: 22 70 72 6f 22
                                      Data Ascii: "pro"


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849683185.199.109.1334436976C:\Users\user\Desktop\GEwWDGafs9.exe
                                      TimestampBytes transferredDirectionData
                                      2025-03-25 06:26:27 UTC141OUTGET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: raw.githubusercontent.com
                                      Cache-Control: no-cache
                                      2025-03-25 06:26:27 UTC891INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 21
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: text/plain; charset=utf-8
                                      ETag: "487c8fd5d11555c8fe0f835934373d10b5bf87fb3c9326ed680dd347bf276158"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: CE00:1B26DF:1E1648:24207A:67E24C92
                                      Accept-Ranges: bytes
                                      Date: Tue, 25 Mar 2025 06:26:27 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-lga21981-LGA
                                      X-Cache: MISS
                                      X-Cache-Hits: 0
                                      X-Timer: S1742883987.353104,VS0,VE83
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: dfe4a6eaf9b73ccd637543ef616b0eadcc090b49
                                      Expires: Tue, 25 Mar 2025 06:31:27 GMT
                                      Source-Age: 0
                                      2025-03-25 06:26:27 UTC21INData Raw: 31 38 35 2e 32 30 38 2e 31 35 39 2e 32 32 36 3a 38 38 38 38 0a
                                      Data Ascii: 185.208.159.226:8888


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.849686185.199.109.1334433676C:\Users\user\AppData\Local\clip.exe
                                      TimestampBytes transferredDirectionData
                                      2025-03-25 06:26:30 UTC141OUTGET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1
                                      User-Agent: ClpBot
                                      Host: raw.githubusercontent.com
                                      Cache-Control: no-cache
                                      2025-03-25 06:26:30 UTC889INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 21
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: text/plain; charset=utf-8
                                      ETag: "487c8fd5d11555c8fe0f835934373d10b5bf87fb3c9326ed680dd347bf276158"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: CE00:1B26DF:1E1648:24207A:67E24C92
                                      Accept-Ranges: bytes
                                      Date: Tue, 25 Mar 2025 06:26:30 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-lga21975-LGA
                                      X-Cache: HIT
                                      X-Cache-Hits: 1
                                      X-Timer: S1742883990.176958,VS0,VE1
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: 4a9071bb460ff63ba6bd7d1a9b7c2f8613fb37e9
                                      Expires: Tue, 25 Mar 2025 06:31:30 GMT
                                      Source-Age: 3
                                      2025-03-25 06:26:30 UTC21INData Raw: 31 38 35 2e 32 30 38 2e 31 35 39 2e 32 32 36 3a 38 38 38 38 0a
                                      Data Ascii: 185.208.159.226:8888


                                      Click to jump to process

                                      Click to jump to process

                                      • File
                                      • Registry

                                      Click to dive into process behavior distribution

                                      Target ID:0
                                      Start time:02:26:25
                                      Start date:25/03/2025
                                      Path:C:\Users\user\Desktop\GEwWDGafs9.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\GEwWDGafs9.exe"
                                      Imagebase:0x7ff655990000
                                      File size:3'647'488 bytes
                                      MD5 hash:1620529D44DD56FE7BEB51B1DBC75FD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:2
                                      Start time:02:26:27
                                      Start date:25/03/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"
                                      Imagebase:0x7ff7b7640000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:3
                                      Start time:02:26:28
                                      Start date:25/03/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6e60e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:02:26:28
                                      Start date:25/03/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\clip.exe"
                                      Imagebase:0x7ff7b7640000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:5
                                      Start time:02:26:28
                                      Start date:25/03/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6e60e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:6
                                      Start time:02:26:28
                                      Start date:25/03/2025
                                      Path:C:\Windows\System32\PING.EXE
                                      Wow64 process (32bit):false
                                      Commandline:ping localhost -n 1
                                      Imagebase:0x7ff6901c0000
                                      File size:22'528 bytes
                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:7
                                      Start time:02:26:28
                                      Start date:25/03/2025
                                      Path:C:\Users\user\AppData\Local\clip.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Local\clip.exe
                                      Imagebase:0x7ff61eb90000
                                      File size:3'647'488 bytes
                                      MD5 hash:1620529D44DD56FE7BEB51B1DBC75FD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 72%, ReversingLabs
                                      Reputation:low
                                      Has exited:false
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:8
                                      Start time:02:26:37
                                      Start date:25/03/2025
                                      Path:C:\Users\user\AppData\Local\clip.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\clip.exe"
                                      Imagebase:0x7ff61eb90000
                                      File size:3'647'488 bytes
                                      MD5 hash:1620529D44DD56FE7BEB51B1DBC75FD6
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Target ID:10
                                      Start time:02:26:45
                                      Start date:25/03/2025
                                      Path:C:\Users\user\AppData\Local\clip.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\clip.exe"
                                      Imagebase:0x7ff61eb90000
                                      File size:3'647'488 bytes
                                      MD5 hash:1620529D44DD56FE7BEB51B1DBC75FD6
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Non-executed Functions

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: 3f0fe23ab450d387db1b587cff852b9df338c60219a6d118686fef43b79c6dce
                                      • Instruction ID: 9f4b8320562791ecbc39cc9f2599cb0cf303fa1e897b07f22d282eee8a7c3959
                                      • Opcode Fuzzy Hash: 3f0fe23ab450d387db1b587cff852b9df338c60219a6d118686fef43b79c6dce
                                      • Instruction Fuzzy Hash: B2113026B14F0599EB40CF60E8582B833B4FB59B58F480E35DE6D96BA4EF78E9548340
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c550c23eac083fb8d1f23166675d05766513d954a435ccade20fed6810b4aac1
                                      • Instruction ID: 40d53985cae7cf38c9f0681eea379644a2cb938a99617b3c3544332ac6e16ff8
                                      • Opcode Fuzzy Hash: c550c23eac083fb8d1f23166675d05766513d954a435ccade20fed6810b4aac1
                                      • Instruction Fuzzy Hash: CC22D3A2210BE58AF720DFA9A451ACFBB31F349789F59611AEFD927744C738D019D310
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e825968bc97defa09ad5d89556f9424bf806271682196f1a49bbe19fac72342f
                                      • Instruction ID: 3008c005fe0411af5d1a240dbb53c119ddeda539e0c587d3ee157f50a0c7df25
                                      • Opcode Fuzzy Hash: e825968bc97defa09ad5d89556f9424bf806271682196f1a49bbe19fac72342f
                                      • Instruction Fuzzy Hash: A532B416D08FDA52E6234739D4071B66320EFB7B88F04E717FED8B1992DF79A9859200
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cad99a2d4e46cc618ace7834b6e780da24195ba3af084b353e54271354d1311d
                                      • Instruction ID: d52e21adf760da4742e382bd66f46e6ccac92dc08c55f50ce7115decbdf5ef18
                                      • Opcode Fuzzy Hash: cad99a2d4e46cc618ace7834b6e780da24195ba3af084b353e54271354d1311d
                                      • Instruction Fuzzy Hash: B222BDB76482D0ABD7158F25C2A059E3FA1F757BA07888312DBC593686CB3DB536CB10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0548514c4c8b113d92ddd0d204e7b11ea4a75043de251748c4fda24bdcd95c4
                                      • Instruction ID: b89de3933ce02b47416db2506334c77bcaf5be8c9ca6bdbe8b884d16a4e3aa0b
                                      • Opcode Fuzzy Hash: b0548514c4c8b113d92ddd0d204e7b11ea4a75043de251748c4fda24bdcd95c4
                                      • Instruction Fuzzy Hash: ED22C012E18FD951E6138B3991075B66320EFBBBC8F04E316FFC8B1553EF69A6959200
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dab17be4026a6c35ea24da57e90003bf1faf4831ff2aa495885ec608f5727e14
                                      • Instruction ID: 7b88fcfd1f15c2f8cfa16b1c6278f7b0d176962404f4aa1d8d0fbb6d62a46ba8
                                      • Opcode Fuzzy Hash: dab17be4026a6c35ea24da57e90003bf1faf4831ff2aa495885ec608f5727e14
                                      • Instruction Fuzzy Hash: DE12B216E1CFC951E2135B3981075B56320BFBB2D8B04D326FFC8B1963EB66A691A211
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9deff24510052f1ca027ffd6e912a104696249bff2d50c53e0635e56cdf220ec
                                      • Instruction ID: aecd67efce63ee6354c5394c3082270688d63f818d0be9e03a3aa5eb1e7a5375
                                      • Opcode Fuzzy Hash: 9deff24510052f1ca027ffd6e912a104696249bff2d50c53e0635e56cdf220ec
                                      • Instruction Fuzzy Hash: F3E16DB6B91A7596DB048F16E94178D7B64F319BC8F898529CF8C93B50EB38E931C300
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b4638826d0835714e403e67164314e87c07565fcb73b820e190128f6c465720
                                      • Instruction ID: 90c77984e203f29595e5187035177afd44827ab4d4eb6261b8d2ddd40c0c9d39
                                      • Opcode Fuzzy Hash: 5b4638826d0835714e403e67164314e87c07565fcb73b820e190128f6c465720
                                      • Instruction Fuzzy Hash: 94F1D512E1CFC951E2135B3D90075F66324AFB72D8F04D326FEC8B1663EB66A691A311
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97d09c3328f80f749d154f0ca53659eb76d2de0e8ea6df42e1135bac6bdbc4da
                                      • Instruction ID: 079e8cb7c3b951ac1c23df1a0ab5809c1d4be4edd511ddb4f92a71fcb7de8d94
                                      • Opcode Fuzzy Hash: 97d09c3328f80f749d154f0ca53659eb76d2de0e8ea6df42e1135bac6bdbc4da
                                      • Instruction Fuzzy Hash: 86D19A9BC28FD905F313533D54476A2E610AFFB5D8A20E303FDF471A62EB54B695A220
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d99519007a3160027af60c174ae658a035ae279c8b5eddc525d7f31c2ef3fc7c
                                      • Instruction ID: f0a8451a720ebeada0a4ecd8ec4dba7c770231b116de2df168d8c28971a4ef01
                                      • Opcode Fuzzy Hash: d99519007a3160027af60c174ae658a035ae279c8b5eddc525d7f31c2ef3fc7c
                                      • Instruction Fuzzy Hash: C0F13E16D1CFC683E2254B3996052BA6730FBB9708F05F715EFD922862DF2CB6E59200
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a0ff061bca674d3f997512753ddc9caa99b77f01943a6110a2d41e01163c3871
                                      • Instruction ID: 744a4c235ed8318e51c51b0959bc3be45642b5d0e99248254f01e35d3c1bdb8c
                                      • Opcode Fuzzy Hash: a0ff061bca674d3f997512753ddc9caa99b77f01943a6110a2d41e01163c3871
                                      • Instruction Fuzzy Hash: 75B19F2AC0DBC209F7033B35484B264A3309FE2A58F94C732FDA9B19A7DF1C7A485191
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38bb0797435f3f3e06de13988d079cd4bd348e19c1d6278303e57a3c95d01b2d
                                      • Instruction ID: 355f4a44678bdcf3d04a9391bd923cd04932f1e52d72edc0ee6e23b02e76e89d
                                      • Opcode Fuzzy Hash: 38bb0797435f3f3e06de13988d079cd4bd348e19c1d6278303e57a3c95d01b2d
                                      • Instruction Fuzzy Hash: 25A14326D18FC992E2224B3995066FA7735FFA5788F04E312EFC822516DF2DE695D300
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec542817aeed97f441c899a7a6a2e0cb26798a16997a26981bc7fea0c88407d
                                      • Instruction ID: a00ee6497279300a6680ec48514f490e5b226824c425e1a2e97e41be13495c9c
                                      • Opcode Fuzzy Hash: 2ec542817aeed97f441c899a7a6a2e0cb26798a16997a26981bc7fea0c88407d
                                      • Instruction Fuzzy Hash: 8A915526D1CFC592E6224B2D95066FA6730FFA5788F04A311EFC922626DF3DE695C300
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b0947d0868641a8ae3bef455c4b94ddc8bb6b6d886c615d8484d5e271edded9
                                      • Instruction ID: 1921a6c9fd62051ab01b92a45d699b83d3a29f591d0d5f11c87939cba8173f77
                                      • Opcode Fuzzy Hash: 4b0947d0868641a8ae3bef455c4b94ddc8bb6b6d886c615d8484d5e271edded9
                                      • Instruction Fuzzy Hash: 3B41E5DAC29FB945E723A33A6C43286DA009EF7989950E303FCB439E65F701B4D13224
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cede5878e3bd3d7d96aebfa4ca37e5dd0cfcb025fc2e8992b4704f06235e5cf
                                      • Instruction ID: 6abe143fcd4268e500512d6cba54552faae029eae235fbc9e07ac88479dcaa7c
                                      • Opcode Fuzzy Hash: 3cede5878e3bd3d7d96aebfa4ca37e5dd0cfcb025fc2e8992b4704f06235e5cf
                                      • Instruction Fuzzy Hash: 0841C511D0CFC991E6134B3D80051A5A370FFAA788F14D722EED872171EF2AB6C69700
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 59ee0376741b915f91bd85b599e26324d605420558e42bb7ea22d7bdae3fd819
                                      • Instruction ID: f62237a33d7882b14736359486aed97eec9023b18fab4bfbf8e714db1b2867a7
                                      • Opcode Fuzzy Hash: 59ee0376741b915f91bd85b599e26324d605420558e42bb7ea22d7bdae3fd819
                                      • Instruction Fuzzy Hash: 44310E26E0CFDE21F623567980076722A006EB75E8501C73BB99AF05B3D7937984B533
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f19b86a61d086bb454cd15cd51638e7a22c08416d675b086c09403c481547e8e
                                      • Instruction ID: 96e302d23174afae3847ae4d378bf5e9e2c5730029f3037e44d21f881a24ef4a
                                      • Opcode Fuzzy Hash: f19b86a61d086bb454cd15cd51638e7a22c08416d675b086c09403c481547e8e
                                      • Instruction Fuzzy Hash: 9B310825E14FBE21F62356BAC0076721A00DDB7FD8A05E71BBD98F0593DFB15E88A211
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4efb22784e4e17a2b8a6c748aa3121f52410c40561d1a3711c9f1c6d5bdce676
                                      • Instruction ID: e37e72e02259462ac3d9655dd93e40691264e1714a025c591b9202d4701d6d5f
                                      • Opcode Fuzzy Hash: 4efb22784e4e17a2b8a6c748aa3121f52410c40561d1a3711c9f1c6d5bdce676
                                      • Instruction Fuzzy Hash: 4031372AC2DFDB92F713873E5407125D614AFF3285A90E31FF9A835822FB159785A304
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7b376ad8a1162ce3042ebef56d6a6a2f8e177532a54a68e03f022e848293315d
                                      • Instruction ID: 40bf2fe4a6b9148070500fa9561ff71f5f7685d71c175a3e8e1b670a8b2a715f
                                      • Opcode Fuzzy Hash: 7b376ad8a1162ce3042ebef56d6a6a2f8e177532a54a68e03f022e848293315d
                                      • Instruction Fuzzy Hash: D12184E6610AC996E6208F95A414ADBA731F349BC8B59A226EF9D2B355CB3CE511C300
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3608016e66e80f3edef84418df2e9105160d427f0824d013ec342462020be9c6
                                      • Instruction ID: e4783806abf096693d60580875f6cd35dd301fb33f9ea861efbca7d309796c95
                                      • Opcode Fuzzy Hash: 3608016e66e80f3edef84418df2e9105160d427f0824d013ec342462020be9c6
                                      • Instruction Fuzzy Hash: 3B314B1DD0AACB49F2122778540B2BAA3206F93B5CF4CD332F59CB5593EF1C2E80A195
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 327295e52a37b6ea025cd2dde1d11135dbdca83d7294c17f622611ec3b357784
                                      • Instruction ID: addd164517c2de3c750002876a62bc4d4f52a38938a4a8b23577782febc4d1ba
                                      • Opcode Fuzzy Hash: 327295e52a37b6ea025cd2dde1d11135dbdca83d7294c17f622611ec3b357784
                                      • Instruction Fuzzy Hash: 5821372AC2DFDB51F713833E5407115D6109FF3285A90E71FFDA874C62EB1547806218
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 55a17341e7f3fe1181ecd508adb34383b1904484b4430b65709af9217215abbf
                                      • Instruction ID: 05b9e8016f7c5bc5d712a73471438bb03a60ec22c3557cc2a605ee207d1be5e0
                                      • Opcode Fuzzy Hash: 55a17341e7f3fe1181ecd508adb34383b1904484b4430b65709af9217215abbf
                                      • Instruction Fuzzy Hash: 6401C8C3B9558A037F5DD1E59C7BAB6459A835A7C8284F63AEE0BDFB48E50CC2015144
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 429c38b16138194702f667c55535cc2f86ff954004639886ca04fc12ea1eea0e
                                      • Instruction ID: 3ce922a8b7f20abc2fcc3a34a6966d3ada2e7d2837ef2c1962bd936eb4f720b9
                                      • Opcode Fuzzy Hash: 429c38b16138194702f667c55535cc2f86ff954004639886ca04fc12ea1eea0e
                                      • Instruction Fuzzy Hash: 55115129D0CFDE21F623457A800797126106EB75E8900CB3BBD9AF05B3DB5779807632
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b2e6c169ae94c7fae1caa405473e4d40fcf381a3e230e6e6d3cb083efee97dd
                                      • Instruction ID: 095e677132c879c6fa22cfaa6ca41b6b3ca30d826eff089b025bd5e331db2f2e
                                      • Opcode Fuzzy Hash: 8b2e6c169ae94c7fae1caa405473e4d40fcf381a3e230e6e6d3cb083efee97dd
                                      • Instruction Fuzzy Hash: 8C110A25D04FFE21F663557AC0079710610DEB7ED8905EB1BBD98F0693EFB15D88A210
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f49ff8109a83ad7ffc9268b084fbd3e3fe13c788c7cc49ec16bdf3f8ab1762e9
                                      • Instruction ID: 64bdcceb959df1f4862abe08d77e15d0a83b5243ec3c2d9e2aa759102e6c2369
                                      • Opcode Fuzzy Hash: f49ff8109a83ad7ffc9268b084fbd3e3fe13c788c7cc49ec16bdf3f8ab1762e9
                                      • Instruction Fuzzy Hash: 560124EAC24FAA42E723A3396943282DA10AEF3589520E307FDF834E55F305B5D07220
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00041c4d9b6021bd7268743e75341ac9f422d742c08481849cac6ad422316a98
                                      • Instruction ID: 5bab1b8cbfa42351db09eda2018c0e6377e909826753554b1555702cea6b7e81
                                      • Opcode Fuzzy Hash: 00041c4d9b6021bd7268743e75341ac9f422d742c08481849cac6ad422316a98
                                      • Instruction Fuzzy Hash: 11F0E2327283E00ACB95CA36A508F592DE19391BC8F16C030E90CC3F45E92ECA018B00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.885780487.00007FF655991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF655990000, based on PE: true
                                      • Associated: 00000000.00000002.885757896.00007FF655990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.885928897.00007FF655B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886082897.00007FF655CF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886104343.00007FF655CF5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886135386.00007FF655CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.886180999.00007FF655CFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff655990000_GEwWDGafs9.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c83208bef4d752e21eecc982e00e41a7b9bb589477a0b7ed4897396d2cb2cab
                                      • Instruction ID: cebc2937e04e9e71e22f71e52a04b51c0fd56fe595899482dea23265f7564456
                                      • Opcode Fuzzy Hash: 2c83208bef4d752e21eecc982e00e41a7b9bb589477a0b7ed4897396d2cb2cab
                                      • Instruction Fuzzy Hash: 8BE04F727183A449C756CA372509E596AA4A315FC9F47C030D90DD3E46EE2FCA018B40

                                      Non-executed Functions

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2102467535.00007FF61EB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF61EB90000, based on PE: true
                                      • Associated: 00000007.00000002.2102443713.00007FF61EB90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2102736018.00007FF61ED50000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2102917676.00007FF61EEF2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2102943664.00007FF61EEF5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2102969842.00007FF61EEF6000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2102969842.00007FF61EEFA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000007.00000002.2103022858.00007FF61EEFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff61eb90000_clip.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: 3f0fe23ab450d387db1b587cff852b9df338c60219a6d118686fef43b79c6dce
                                      • Instruction ID: 27fdbdf0b92754fa51923aa2f9b13a3ba808d498e142e5f37a35c9b2adc62dd0
                                      • Opcode Fuzzy Hash: 3f0fe23ab450d387db1b587cff852b9df338c60219a6d118686fef43b79c6dce
                                      • Instruction Fuzzy Hash: AC111C22B14F0589EB008B60E8542A933B4FB29B68F440E35EA6D87BA4DF7CE5548340