Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:729270
MD5:734fcb6992cc87731801713d81f0d557
SHA1:bf9a42ff5ec69d7945ddee72dd0ffc0315e2ff39
SHA256:398df90a42c7b3cc43ea5095630ef3d8cf059beeda54e6a5888c839f5d6f5055
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Potential time zone aware malware
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • file.exe (PID: 2556 cmdline: C:\Users\user\Desktop\file.exe MD5: 734FCB6992CC87731801713D81F0D557)
    • WMIC.exe (PID: 5136 cmdline: wmic os get Caption MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5208 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 5248 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
    • cmd.exe (PID: 1392 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 4504 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Spreading
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
Source: global trafficTCP traffic: 192.168.2.6:49705 -> 176.124.220.67:8081
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: unknownTCP traffic detected without corresponding DNS query: 176.124.220.67
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryCLSIDFromStringCallWindowProcWClientAuthType(CreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleHanifi_RohingyaIdempotency-KeyImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLiqualityWalletMaiarDeFiWalletNot ImplementedOleUninitializeOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSetActiveWindowSetCommTimeoutsSetSecurityInfoSetVolumeLabelWSetWinEventHookStringFromGUID2TrackMouseEventUnmapViewOfFileWindowFromPointX-Forwarded-ForYa Passman Data\AppData\Local\]
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get nameJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_01
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: classification engineClassification label: mal52.spyw.winEXE@14/0@0/1
Source: file.exeStatic file information: File size 4847238 > 1048576
Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x22aa00
Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ee800
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
Source: file.exe, 00000000.00000002.307303860.000002CA47678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get nameJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\LocalCache VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: text= zombie% CPU ((PANIC=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625:method:scheme:statusAvestanBengaliBrailleBrowserCONNECTCaptionChanDirConvertCookiesCopySidCreatedCypriotDeseretEd25519ElbasanEllipseElymaicEndPageExpiresFillRgnFreeSidGODEBUGGranthaHEADERSHanunooHistoryIM UsedIO waitIridiumIsChildJanuaryK-MelonKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMail.RuMakasarMandaicMarchenMozillaMultaniMyanmarNRGBA64OctoberOrbitumOsmanyaPATHEXTPhantomProfileRadicalRefererSHA-224SHA-256SHA-384SHA-512SetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSputnikSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUNKNOWNUpgradeVivaldiWSARecvWSASendtypes value=abortedavx512fcharsetchunkedconnectconsolecpuprofderivedexpiresfloat32float64forcegcgctracehead = http://i < capi < leniWalletinvalidlookup minpc= nil keynumber osxsavepacer: panic: pdh.dllreaddirrefererrefreshrunningserial:signal syscalltraileruintptrunknownupgradeutf-8''waitingwsarecvwsasend bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AbortDocAcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeChromiumChromodoClassANYCoinbaseConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDeleteDCDuployanElectrumEndPaintEqualSidEthereumEthiopicExtenderFebruaryFullPathGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaIsIconicIsWindowIsZoomedJavaneseK-MeleonKatakanaKayah_LiLinear_ALinear_BLocationMD5+SHA1MahajaniMaxthon3MetamaskMoveToExNO_ERRORNO_PROXYNichromeNovemberOl_ChikiPRIORITYPalettedParseIntPhags_PaPolylineQIP SurfQuestionReadFileReceivedResetDCWSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SaturdaySetEventSetFocusSetPixelSetTimerTagbanwaTai_ThamTai_VietTelegramTextOutWThursdayTifinaghTronlinkTypeAAAATypeAXFRUgariticWSAIoctlWaterfoxWeb Data[signal \Desktopstack=[
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: m=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chancx16datedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8itabjaxxjsonkindlinkmap[nonenullopenpathpipepop3profquitreadrootsbrksmtpsse2sse3tRNStag:tcp4tcp6trueudp4uintunixvarywmicxn-- ...
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: , i = , not , val 390625<-chanAcceptAnswerArabicArmoryAugustBasic BitBltBrahmiCANCELCarianChakmaChedotCocCocCommonComodoCookieCoowonCopticCryptoEndDocExodusExpectFolderFormatFridayGOAWAYGOROOTGetACPGoogleGothicGray16GuardaHangulHatranHebrewHyphenKaithiKhojkiKometaLepchaLineToLockedLycianLydianMondayMulDivOxygenPADDEDPragmaRGBA64RejangSCHED STREETSaveDCServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoWombatX25519YandexYezidi[]byte\ufffd^user^acceptactiveatomicavx512chan<-closedcookiedomainefenceexec: expectfijijigopherhangupheaderinternip+netkilledliebaolistenlogs//minutenumberobjectpopcntrdrandrdseedrdtscpsecondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unused %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: text= zombie% CPU ((PANIC=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625:method:scheme:statusAvestanBengaliBrailleBrowserCONNECTCaptionChanDirConvertCookiesCopySidCreatedCypriotDeseretEd25519ElbasanEllipseElymaicEndPageExpiresFillRgnFreeSidGODEBUGGranthaHEADERSHanunooHistoryIM UsedIO waitIridiumIsChildJanuaryK-MelonKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMail.RuMakasarMandaicMarchenMozillaMultaniMyanmarNRGBA64OctoberOrbitumOsmanyaPATHEXTPhantomProfileRadicalRefererSHA-224SHA-256SHA-384SHA-512SetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSputnikSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUNKNOWNUpgradeVivaldiWSARecvWSASendtypes value=abortedavx512fcharsetchunkedconnectconsolecpuprofderivedexpiresfloat32float64forcegcgctracehead = http://i < capi < leniWalletinvalidlookup minpc= nil keynumber osxsavepacer: panic: pdh.dllreaddirrefererrefreshrunningserial:signal syscalltraileruintptrunknownupgradeutf-8''waitingwsarecvwsasend bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AbortDocAcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeChromiumChromodoClassANYCoinbaseConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDeleteDCDuployanElectrumEndPaintEqualSidEthereumEthiopicExtenderFebruaryFullPathGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaIsIconicIsWindowIsZoomedJavaneseK-MeleonKatakanaKayah_LiLinear_ALinear_BLocationMD5+SHA1MahajaniMaxthon3MetamaskMoveToExNO_ERRORNO_PROXYNichromeNovemberOl_ChikiPRIORITYPalettedParseIntPhags_PaPolylineQIP SurfQuestionReadFileReceivedResetDCWSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SaturdaySetEventSetFocusSetPixelSetTimerTagbanwaTai_ThamTai_VietTelegramTextOutWThursdayTifinaghTronlinkTypeAAAATypeAXFRUgariticWSAIoctlWaterfoxWeb Data[signal \Desktopstack=[
Source: file.exe, 00000000.00000002.300184290.000000000125C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: non-IPv4 addressnon-IPv6 addressnon-empty stringobject is remoteproxy-connectionread_frame_otherreflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*unknown network wglCreateContextwglDeleteContextworkbuf is emptywww-authenticate spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsAttachThreadInputCOMPRESSION_ERRORCertFindExtensionChoosePixelFormatCryptDecodeObjectCryptoTab BrowserDeleteEnhMetaFileDnsRecordListFreeENHANCE_YOUR_CALMEndDeferWindowPosEthereum\keystoreFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetProfileStringWGetShortPathNameWGetWindowLongPtrWHEADER_TABLE_SIZEHTTP_1_1_REQUIREDIf-Modified-SinceImageList_DestroyIntersectClipRectIsTokenRestrictedLookupAccountSidWMonitorFromWindowMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinueQueryWorkingSetExReadProcessMemoryRegLoadMUIStringWSHDefExtractIconWSentence_TerminalSetStretchBltModeSetWindowLongPtrWShell_NotifyIconWSystemFunction036Too Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\AppData\Roaming\bad TinySizeClassdebugPtrmask.lockdecryption failedentersyscallblockexec format errorexec: not startedfractional secondframe_ping_lengthg already scannedglobalAlloc.mutexgp.waiting != nilhandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing extensionname offset fieldnil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)sizeof(rtype) > 0stack: frame={sp:swept cached spanthread exhaustiontransfer-encodingtruncated headersunknown caller pcunknown type kindunrecognized namewait for GC cyclewglGetProcAddresswmic cpu get namewrong medium type but memory size because dotdotdot in async preempt
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgiclJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\a1633b1e-f1cf-4fba-86f8-17dcb4bf385eJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldoomlJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing NetworkJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibagJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\defJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\IconsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfakJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code CacheJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts11
Windows Management Instrumentation		Path Interception11
Process Injection		1
Virtualization/Sandbox Evasion		1
OS Credential Dumping		1
System Time Discovery		Remote Services11
Input Capture		Exfiltration Over Other Network Medium1
Non-Standard Port		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Process Injection		11
Input Capture		11
Security Software Discovery		Remote Desktop Protocol2
Data from Local System		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729270 Sample: file.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 52 29 Machine Learning detection for sample 2->29 31 Found many strings related to Crypto-Wallets (likely being stolen) 2->31 7 file.exe 2->7         started        process3 dnsIp4 27 176.124.220.67, 49705, 8081 GULFSTREAMUA Russian Federation 7->27 33 Tries to harvest and steal browser information (history, passwords, etc) 7->33 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        signatures5 process6 process7 17 WMIC.exe 1 11->17         started        19 conhost.exe 11->19         started        21 WMIC.exe 1 13->21         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
176.124.220.67
unknownRussian Federation
59652GULFSTREAMUAfalse

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:729270
Start date and time:2022-10-24 16:26:05 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:file.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.spyw.winEXE@14/0@0/1
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 76.4%
  • Quality standard deviation: 24.6%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com
  • Execution Graph export aborted for target file.exe, PID 2556 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
16:27:07API Interceptor3x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
GULFSTREAMUABrowser_renew.exeGet hashmaliciousBrowse
  • 176.124.216.159
Browser_renew.exeGet hashmaliciousBrowse
  • 176.124.216.159
file.exeGet hashmaliciousBrowse
  • 176.124.215.2
MKux1L12Hd.exeGet hashmaliciousBrowse
  • 176.124.192.220
M5jKYa84lZ.exeGet hashmaliciousBrowse
  • 176.124.192.220
YJxaWrcrpx.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
RssqBuHzC8.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
vBlasFEGDm.exeGet hashmaliciousBrowse
  • 176.124.192.220
sRsnwIR3OT.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220
file.exeGet hashmaliciousBrowse
  • 176.124.192.220

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.247898286881813
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:file.exe
File size:4847238
MD5:734fcb6992cc87731801713d81f0d557
SHA1:bf9a42ff5ec69d7945ddee72dd0ffc0315e2ff39
SHA256:398df90a42c7b3cc43ea5095630ef3d8cf059beeda54e6a5888c839f5d6f5055
SHA512:3b5883f8fd9e3030726b0d8f7884d270b74ea1e99b0c07ecf6fc17164ef2c339c3e38a793ae9e384936eed65363f1b64f6d14f4a1a5c0bfee7f3e2359cdf48b2
SSDEEP:98304:ezAv5Q+EAG8l6EW3gWVup6aaIb7b7YEKtayr4dZ1YnvkMK83LhJokenV6Iq2K7z4:eE0u1
TLSH:12262847F89980F5C1AED1308A268253BA723C991B3063D73B51F7B86B73BD46A79314
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........F......."......."..........^........@..............................pP......PJ...`... ............................

File Icon

Icon Hash:0030303038181800

Static PE Info

General

Entrypoint:0x465e80
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:9cbefe68f395e67356e2a5d8d1b285c0
Instruction
jmp 00007F5270BB25E0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F5270BB610Eh
dec eax
mov eax, 00000000h
jmp 00007F5270BB6185h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4bb0000x47c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c70000x3f0b8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x4bc0000x99c0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x41b2400x140.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x22a8150x22aa00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x22c0000x1ee6a00x1ee800False0.39460728166076847data5.582119832029706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x41b0000x9fdc00x3ca00False0.41630557345360825data5.300196718182688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x4bb0000x47c0x600False0.33203125data3.567258212132925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x4bc0000x99c00x9a00False0.276760349025974data5.43709646464519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x4c60000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x4c70000x3f0b80x3f200False0.03193842821782178data5.600157130601035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_ICON0x4c70ac0x3eff8Device independent bitmap graphic, 250 x 500 x 32, image size 250000, resolution 3779 x 3779 px/m
RT_GROUP_ICON0x5060a40x14data
DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

Download Network PCAP: filteredfull

TimestampSource PortDest PortSource IPDest IP
Oct 24, 2022 16:27:08.139823914 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:08.201853037 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:08.204988956 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.520391941 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.582638979 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.582674026 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.582916021 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.644821882 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.644844055 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.644879103 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.644893885 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.644984961 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.645031929 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.645081997 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.645129919 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.707688093 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707715034 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707730055 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707871914 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707886934 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707890034 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.707904100 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.707968950 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708012104 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708030939 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.708045959 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.708055019 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708055019 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708096027 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708096981 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.708132982 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.770565987 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770607948 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770627975 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770646095 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770663977 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770678997 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770709038 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770775080 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.770775080 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.770821095 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770901918 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.770910025 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.770962954 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.770962954 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771012068 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771012068 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771379948 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771452904 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771502972 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771552086 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771574020 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771630049 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771656036 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771732092 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771761894 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771776915 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771820068 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771852970 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.771862030 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771886110 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771907091 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.771960974 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772000074 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772000074 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772053957 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772104025 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772130013 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772155046 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772172928 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772233009 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772241116 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772254944 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772321939 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772351027 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772381067 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772402048 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772420883 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.772623062 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.772670031 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.812421083 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.812582970 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.832720995 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832748890 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832767963 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832779884 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832796097 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832832098 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.832923889 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.832950115 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833019972 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833046913 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833072901 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833097935 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833116055 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833161116 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833187103 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833199024 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833220959 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833264112 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833297014 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833300114 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833357096 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833378077 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833440065 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833452940 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833512068 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833575010 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833655119 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833709955 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833769083 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833899021 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833950043 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.833987951 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.833997011 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834024906 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834076881 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834084034 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834095955 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834146976 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834193945 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834198952 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834198952 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834213018 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834250927 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834250927 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834280014 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834321022 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834338903 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834383011 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834387064 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834407091 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834415913 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834450960 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834455967 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834481955 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834543943 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834618092 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834682941 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834693909 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834764957 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834827900 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834846020 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834894896 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834912062 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.834925890 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.834988117 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835050106 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835069895 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835117102 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835119963 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835120916 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835135937 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835175037 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835185051 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835206032 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835235119 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835254908 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835266113 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835304022 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835304976 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835333109 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835381031 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835390091 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835428953 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835455894 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835483074 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835506916 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835525036 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835566044 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835592031 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835628033 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835681915 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835793018 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835810900 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835860014 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835879087 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835912943 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835932970 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.835936069 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835936069 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835977077 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.835999012 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:15.836049080 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836153030 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836199045 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836308956 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836327076 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836374998 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836452961 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836555958 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836661100 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.836678982 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.874608994 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.894874096 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895131111 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895148039 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895160913 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895173073 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895185947 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895255089 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895418882 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895432949 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895576954 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895590067 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895733118 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895903111 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.895921946 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896068096 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896083117 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896096945 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896229982 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896245003 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896260977 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896378994 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896394014 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896542072 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.896692991 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897066116 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897082090 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897095919 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897108078 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897120953 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897133112 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897229910 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897284031 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897414923 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897511959 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897597075 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.897670031 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.898546934 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.898569107 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.900530100 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.900743961 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901052952 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901073933 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901118994 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901154995 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901204109 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901222944 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901592016 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901618004 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901635885 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901654005 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901673079 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901691914 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901710033 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901727915 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.901746988 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902223110 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902252913 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902271986 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902319908 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902522087 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902543068 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902564049 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902651072 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902673006 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902760983 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902939081 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902961969 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902981043 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.902998924 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.903055906 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.903104067 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.915740967 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:15.959901094 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:18.746762991 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:18.746912003 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:18.808749914 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808778048 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808789968 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808805943 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808849096 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808862925 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808876038 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808952093 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.808964968 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809009075 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809149981 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809221029 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809253931 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809359074 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809393883 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.809540033 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.816302061 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.847671032 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:18.909586906 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909609079 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909622908 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909636021 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909692049 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909771919 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909852028 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909877062 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.909971952 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.915534019 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:18.959512949 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:19.101619005 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:19.101800919 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:19.101895094 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:19.163708925 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.163753033 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.163769960 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.163822889 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.163932085 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164058924 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164223909 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164381027 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164484024 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164619923 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164741039 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.164858103 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.165021896 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.165271997 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.165637970 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.165811062 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.165868998 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.166021109 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.166183949 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.172410965 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:19.223817110 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:25.806915045 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:25.870055914 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:25.870776892 CEST808149705176.124.220.67192.168.2.6
Oct 24, 2022 16:27:25.870841980 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:25.870841980 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:26.199008942 CEST497058081192.168.2.6176.124.220.67
Oct 24, 2022 16:27:26.260819912 CEST808149705176.124.220.67192.168.2.6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry
  • Network

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:27:05
Start date:24/10/2022
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\file.exe
Imagebase:0x1030000
File size:4847238 bytes
MD5 hash:734FCB6992CC87731801713D81F0D557
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Network Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:16:27:07
Start date:24/10/2022
Path:C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):false
Commandline:wmic os get Caption
Imagebase:0x7ff77e4d0000
File size:521728 bytes
MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

COM Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:16:27:07
Start date:24/10/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6da640000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:3
Start time:16:27:09
Start date:24/10/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd /C "wmic path win32_VideoController get name"
Imagebase:0x7ff7cb270000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:4
Start time:16:27:09
Start date:24/10/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6da640000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:5
Start time:16:27:09
Start date:24/10/2022
Path:C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):false
Commandline:wmic path win32_VideoController get name
Imagebase:0x7ff77e4d0000
File size:521728 bytes
MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

COM Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:6
Start time:16:27:10
Start date:24/10/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd /C "wmic cpu get name"
Imagebase:0x7ff7cb270000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:7
Start time:16:27:10
Start date:24/10/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6da640000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:8
Start time:16:27:10
Start date:24/10/2022
Path:C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):false
Commandline:wmic cpu get name
Imagebase:0x7ff77e4d0000
File size:521728 bytes
MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

COM Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly