Create Interactive Tour

Windows Analysis Report
601964e6-093a-4525-a304-c557a4a357be.exe

Overview

General Information

Sample Name:601964e6-093a-4525-a304-c557a4a357be.exe
Analysis ID:808056
MD5:196b4e0f90bdd2c119b7ef9e3a1efa97
SHA1:955bcb5e2bf7f518bc56b8a2e1822498f08110cd
SHA256:5caf93ba3ebc06d7df2e84e9d00f488961850d3d014caa08401a4ab4cb0d75e6
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 601964e6-093a-4525-a304-c557a4a357be.exe (PID: 5656 cmdline: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe MD5: 196B4E0F90BDD2C119B7EF9E3A1EFA97)
    • cmd.exe (PID: 5804 cmdline: C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • choice.exe (PID: 5840 cmdline: choice /C Y /N /D Y /T 0 MD5: EA29BC6BCB1EFCE9C9946C3602F3E754)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 601964e6-093a-4525-a304-c557a4a357be.exeAvira: detected
Source: 601964e6-093a-4525-a304-c557a4a357be.exeReversingLabs: Detection: 30%
Source: 601964e6-093a-4525-a304-c557a4a357be.exeVirustotal: Detection: 39%Perma Link
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00029C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C0000B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: *.google.com*.bdn.devg.cn*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.gstatic.cn*.gstatic-cn.comgooglecnapps.cngkecnapps.cn*.gkecnapps.cnrecaptcha.net.cnrecaptcha-cn.netwidevine.cn*.widevine.cndoubleclick.cn*.doubleclick.cngvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netadmob-cn.com*.admob-cn.com*.gstatic.com*.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.ytimg.comandroid.com*.android.com*.g.cng.co*.g.cogoo.glwww.goo.glgoogle.comggpht.cnyoutu.be*.ggpht.cnurchin.com*.urchin.comyoutube.comyt.be*.youtube.comyoutubekids.com*.yt.beUSUSCaliforniaSan Francisco150317141638Z150317141638Z450309141638Z450309141638ZCalifornia2.2.5San Francisco2.5.2.5.292.5.29.2.5.29.142.2.52.5.2.5.292.5.29.2.5.29.352.2.52.5.2.5.292.5.29.2.5.29.19 equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: *.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.ytimg.comandroid.com*.android.com*.g.cng.co*.g.cogoo.glwww.goo.glgoogle.comggpht.cnyoutu.be*.ggpht.cnurchin.com*.urchin.comyoutube.comyt.be*.youtube.comyoutubekids.com*.yt.beUSUSCaliforniaSan Francisco150317141638Z150317141638Z450309141638Z450309141638ZCalifornia2.2.5San Francisco2.5.2.5.292.5.29.2.5.29.142.2.52.5.2.5.292.5.29.2.5.29.352.2.52.5.2.5.292.5.29.2.5.29.19 equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00029C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:/Users/user/AppData/Local/Microsoft/Edge/User Data https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C0000BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: CertCreateCertificateContextCertFreeCertificateContextwww.youtube.com equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: Connections was calledhttp: suspiciously long trailer after chunked bodyhttps://www.youtube.com/getAccountSwitcherEndpointmallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %vnet/http: Transport failed to read fro equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Host: www.youtube.com equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000424000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Location: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C0002AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: PRAGMA busy_timeout = 5000;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;637962485686793996-3320600880637962485686793996-3320600880GA1.2-4.172648318.1660684298GA1.2-4.172648318.1660684298GA1.2-4.1640056110.1660684298GA1.2-4.1640056110.1660684298GA1.2-2.172648318.1660684298GA1.2-2.172648318.1660684298GA1.2-2.1640056110.1660684298GA1.2-2.1640056110.1660684298GA1.1-4.172648318.1660684298GA1.1-4.172648318.16606842986639696_84_88_104280_84_4469406639696_84_88_104280_84_446940REQUEST_METHODwww.youtube.com Wed, 15 Feb 2023 04:33:33 GMT equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: _pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largehttps://www.youtube.comindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid UUID length: equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: flate: internal error: frame_goaway_has_streamframe_headers_pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largehttps://www.youtube.comindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid UUID length: %dinvalid escape sequenceinvalid m->lockedInt = invalid scalar encodingjson: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing port in addressmissing protocol schememissing type in runfinqmultipart: NextPart: %vnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timeskipping Question Classspan has no free stackssql: database is closedstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8too many pointers (>10)truncated tag or lengthunexpected address typeunexpected map key typeunknown empty width argunknown error code 0x%xunpacking Question.Nameunpacking Question.Typeunsupported certificatevarint integer overflowwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version, equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trailer after chunked bodyhttps://www.youtube.com/getAccountSwitcherEndpointmallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %vnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewreflect.Value.Slice3: slice of unaddressable arrayruntime: unable to acquire - semaphore out of synctls: invalid signature by the server certificate: tls: received unexpected CertificateStatus messagex509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificate{ equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpointC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000009.logC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENTC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journalC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\*C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCKC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOGC:\Windows equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: outube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C000094000.00000004.00001000.00020000.00000000.sdmp, 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269268147.0000014FB29C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269268147.0000014FB2964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com5 equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00023E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269268147.0000014FB29C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.comxO equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00023E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: }USERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userUSERPROFILEC:\Users\userPRAGMA busy_timeout = .support.google.com/intl/en_uk/chrome/intl/en_uk/chrome/intl/en_uk/chrome//intl/en_uk/chrome//intl/en_uk/chrome/www.youtube.com:443www.youtube.com:443HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyNO_PROXYno_proxytcpwww.youtube.comHTTP/1.1 302 Found application/binaryX-Content-Type-OptionsPermissions-Policy equals www.youtube.com (Youtube)
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: http://79.137.202.127/new.phpinteger
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269268147.0000014FB2995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00029C000.00000004.00001000.00020000.00000000.sdmp, 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000424000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C000286000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/youtube_main
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.com/channel/mheap.freeSpanLocked
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.com/reauth
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=https://studio.youtube.com/youtubei/v1/a
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://studio.youtube.comid
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C000086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpoint
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C00040C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpointC:
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpointmallocgc
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://www.youtube.comindex
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: https://youtube.com/inconsistent
Source: unknownDNS traffic detected: queries for: www.youtube.com
Source: global trafficHTTP traffic detected: GET /getAccountSwitcherEndpoint HTTP/1.1Host: www.youtube.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: Number of sections : 11 > 10
Source: 601964e6-093a-4525-a304-c557a4a357be.exeReversingLabs: Detection: 30%
Source: 601964e6-093a-4525-a304-c557a4a357be.exeVirustotal: Detection: 39%
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0 Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: net/addrselect.go
Source: 601964e6-093a-4525-a304-c557a4a357be.exeString found in binary or memory: net/addrselect.go
Source: classification engineClassification label: mal60.spyw.winEXE@6/0@1/1
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000000.258428949.0000000000E64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic file information: File size 7806464 > 1048576
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x400400
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x314600
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 601964e6-093a-4525-a304-c557a4a357be.exeStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
Source: 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269268147.0000014FB2964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0 Jump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeCode function: 0_2_00E1F820 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00E1F820

Stealing of Sensitive Information

barindex
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683cJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibagJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_DataJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldoomlJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\IconsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalfJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\jsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgiclJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\defJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing NetworkJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MaskableJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosedJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MonochromeJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfakJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform NotificationsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session StorageJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaediaJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
Source: C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception11
Process Injection
11
Process Injection
1
OS Credential Dumping
1
System Time Discovery
Remote Services1
Data from Local System
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS13
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled Transfer1
Ingress Tool Transfer
SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 808056 Sample: 601964e6-093a-4525-a304-c55... Startdate: 15/02/2023 Architecture: WINDOWS Score: 60 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 601964e6-093a-4525-a304-c557a4a357be.exe 2->7         started        process3 dnsIp4 17 youtube-ui.l.google.com 142.250.184.78, 443, 49683 GOOGLEUS United States 7->17 19 www.youtube.com 7->19 25 Tries to harvest and steal browser information (history, passwords, etc) 7->25 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started        15 choice.exe 1 11->15         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
601964e6-093a-4525-a304-c557a4a357be.exe31%ReversingLabsWin64.Trojan.Generic
601964e6-093a-4525-a304-c557a4a357be.exe40%VirustotalBrowse
601964e6-093a-4525-a304-c557a4a357be.exe100%AviraHEUR/AGEN.1216913
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://csp.withgoogle.com/csp/report-to/youtube_main0%URL Reputationsafe
https://studio.youtube.comid0%URL Reputationsafe
https://studio.youtube.comid0%URL Reputationsafe
https://www.youtube.comindex0%URL Reputationsafe
http://79.137.202.127/new.phpinteger2%VirustotalBrowse
http://79.137.202.127/new.phpinteger0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
youtube-ui.l.google.com
142.250.184.78
truefalse
    high
    www.youtube.com
    unknown
    unknownfalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://www.youtube.com/getAccountSwitcherEndpointfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://csp.withgoogle.com/csp/report-to/youtube_main601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C000286000.00000004.00001000.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://79.137.202.127/new.phpinteger601964e6-093a-4525-a304-c557a4a357be.exefalse
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://studio.youtube.comid601964e6-093a-4525-a304-c557a4a357be.exefalse
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:601964e6-093a-4525-a304-c557a4a357be.exefalse
          high
          https://studio.youtube.com/channel/mheap.freeSpanLocked601964e6-093a-4525-a304-c557a4a357be.exefalse
            high
            https://www.youtube.com/getAccountSwitcherEndpointC:601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C00040C000.00000004.00001000.00020000.00000000.sdmpfalse
              high
              https://www.youtube.comindex601964e6-093a-4525-a304-c557a4a357be.exefalse
              • URL Reputation: safe
              unknown
              https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:601964e6-093a-4525-a304-c557a4a357be.exefalse
                high
                https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.267993283.000000C00029C000.00000004.00001000.00020000.00000000.sdmp, 601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.269001248.000000C000424000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=https://studio.youtube.com/youtubei/v1/a601964e6-093a-4525-a304-c557a4a357be.exefalse
                    high
                    https://studio.youtube.com/reauth601964e6-093a-4525-a304-c557a4a357be.exefalse
                      high
                      https://www.youtube.com601964e6-093a-4525-a304-c557a4a357be.exe, 00000000.00000002.264775467.000000C000086000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        https://www.youtube.com/getAccountSwitcherEndpointmallocgc601964e6-093a-4525-a304-c557a4a357be.exefalse
                          high
                          https://youtube.com/inconsistent601964e6-093a-4525-a304-c557a4a357be.exefalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            142.250.184.78
                            youtube-ui.l.google.comUnited States
                            15169GOOGLEUSfalse
                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:808056
                            Start date and time:2023-02-15 05:32:32 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 4m 45s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:4
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample file name:601964e6-093a-4525-a304-c557a4a357be.exe
                            Detection:MAL
                            Classification:mal60.spyw.winEXE@6/0@1/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 100% (good quality ratio 50%)
                            • Quality average: 50%
                            • Quality standard deviation: 50%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                            • Execution Graph export aborted for target 601964e6-093a-4525-a304-c557a4a357be.exe, PID 5656 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            No simulations
                            No context
                            No context
                            No context
                            No context
                            No context
                            No created / dropped files found
                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                            Entropy (8bit):6.2576226502203784
                            TrID:
                            • Win64 Executable (generic) (12005/4) 74.95%
                            • Generic Win/DOS Executable (2004/3) 12.51%
                            • DOS Executable Generic (2002/1) 12.50%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                            File name:601964e6-093a-4525-a304-c557a4a357be.exe
                            File size:7806464
                            MD5:196b4e0f90bdd2c119b7ef9e3a1efa97
                            SHA1:955bcb5e2bf7f518bc56b8a2e1822498f08110cd
                            SHA256:5caf93ba3ebc06d7df2e84e9d00f488961850d3d014caa08401a4ab4cb0d75e6
                            SHA512:76f6292c1ad3bb21c0245be7985580f07587deac287ad91aa484603686b3336160ef0c7926c01860d8821865d20c02801e446d48407a58a182ed94e743ba6002
                            SSDEEP:49152:z+pCapzOib56rb/ThvO90d7HjmAFd4A64nsfJTEtpCNVIR+dUGwlnDBJAUT8e8rr:ctfq+2bF6MS6pc2ElAz4qX
                            TLSH:F7763B07F85190E8C1BED230C62692A3BA717C855B3027D72B50FBB92F76BD46A79314
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...#..c..............."..@...w...............@...............................}.....O.w...`... ............................
                            Icon Hash:00828e8e8686b000
                            Entrypoint:0x4014c0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63EBDA23 [Tue Feb 14 18:59:47 2023 UTC]
                            TLS Callbacks:0x7ffa30
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:57c9b357ae0cb2f414b0a5873e2f216d
                            Instruction
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [007569A5h]
                            mov dword ptr [eax], 00000001h
                            call 00007F2EED4794EFh
                            call 00007F2EED07AE4Ah
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop word ptr [eax+eax+00000000h]
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [00756975h]
                            mov dword ptr [eax], 00000000h
                            call 00007F2EED4794BFh
                            call 00007F2EED07AE1Ah
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop word ptr [eax+eax+00000000h]
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            call 00007F2EED47AD4Ch
                            dec eax
                            test eax, eax
                            sete al
                            movzx eax, al
                            neg eax
                            dec eax
                            add esp, 28h
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec eax
                            lea ecx, dword ptr [00000009h]
                            jmp 00007F2EED07B179h
                            nop dword ptr [eax+00h]
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec ecx
                            cmp esp, dword ptr [esi+10h]
                            jbe 00007F2EED07B1DAh
                            dec eax
                            sub esp, 18h
                            dec eax
                            mov dword ptr [esp+10h], ebp
                            dec eax
                            lea ebp, dword ptr [esp+10h]
                            dec eax
                            mov dword ptr [esp+20h], eax
                            dec eax
                            mov dword ptr [esp+28h], ebx
                            nop
                            call 00007F2EED07B740h
                            dec eax
                            mov eax, dword ptr [eax+eax+00h]
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x7c70000x159.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7c80000x1648.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7590000x5e20.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7cc0000xd71c.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x7579800x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x7c84fc0x4c0.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x4003900x400400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x4020000x412900x41400False0.4151251197318008data5.20780982425304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x4440000x3144c00x314600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                            .pdata0x7590000x5e200x6000False0.4964192708333333data5.907431256917045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                            .xdata0x75f0000x65e00x6600False0.1697686887254902data4.528108187101824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                            .bss0x7660000x60e680x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0x7c70000x1590x200False0.42578125data3.7604920171627763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                            .idata0x7c80000x16480x1800False0.2926432291666667data4.363534158937259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .CRT0x7ca0000x680x200False0.0703125data0.2397656363955928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0x7cb0000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .reloc0x7cc0000xd71c0xd800False0.2669994212962963data5.429633439486475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            DLLImport
                            KERNEL32.dllAddVectoredExceptionHandler, AreFileApisANSI, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateMutexW, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFullPathNameA, GetFullPathNameW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadContext, GetTickCount, GetVersionExA, GetVersionExW, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, PostQueuedCompletionStatus, QueryPerformanceCounter, ReadFile, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsGetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                            msvcrt.dll__getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _endthreadex, _errno, _fmode, _initterm, _localtime64, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, qsort, realloc, signal, strcmp, strcspn, strlen, strncmp, strrchr, vfprintf
                            NameOrdinalAddress
                            _cgo_dummy_export10xbc6e50
                            authorizerTrampoline20x7345e0
                            callbackTrampoline30x734300
                            commitHookTrampoline40x7344c0
                            compareTrampoline50x734420
                            doneTrampoline60x7343d0
                            preUpdateHookTrampoline70x734660
                            rollbackHookTrampoline80x734520
                            stepTrampoline90x734360
                            updateHookTrampoline100x734570

                            Download Network PCAP: filteredfull

                            • Total Packets: 13
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Feb 15, 2023 05:33:32.730751991 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.730798006 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.730915070 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.735698938 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.735728025 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.805651903 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.806581020 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.806617975 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.806828976 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.806839943 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.807467937 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.807616949 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:32.808293104 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:32.808427095 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.150882006 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.150939941 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:33.151205063 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:33.151282072 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.151303053 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:33.198461056 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:33.198723078 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.199320078 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.199353933 CET44349683142.250.184.78192.168.2.3
                            Feb 15, 2023 05:33:33.199413061 CET49683443192.168.2.3142.250.184.78
                            Feb 15, 2023 05:33:33.199431896 CET44349683142.250.184.78192.168.2.3
                            TimestampSource PortDest PortSource IPDest IP
                            Feb 15, 2023 05:33:32.694387913 CET5897453192.168.2.38.8.8.8
                            Feb 15, 2023 05:33:32.721139908 CET53589748.8.8.8192.168.2.3
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Feb 15, 2023 05:33:32.694387913 CET192.168.2.38.8.8.80x2adStandard query (0)www.youtube.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.250.184.78A (IP address)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.250.184.110A (IP address)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.250.180.142A (IP address)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.250.180.174A (IP address)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.251.209.14A (IP address)IN (0x0001)false
                            Feb 15, 2023 05:33:32.721139908 CET8.8.8.8192.168.2.30x2adNo error (0)youtube-ui.l.google.com142.251.209.46A (IP address)IN (0x0001)false
                            • www.youtube.com
                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.349683142.250.184.78443C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
                            TimestampkBytes transferredDirectionData
                            2023-02-15 04:33:33 UTC0OUTGET /getAccountSwitcherEndpoint HTTP/1.1
                            Host: www.youtube.com
                            User-Agent: Go-http-client/1.1
                            Accept-Encoding: gzip
                            2023-02-15 04:33:33 UTC0INHTTP/1.1 302 Found
                            Content-Type: application/binary
                            X-Content-Type-Options: nosniff
                            Location: https://accounts.google.com/ServiceLogin?service=youtube&passive=1209600&continue=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint&followup=https%3A%2F%2Fwww.youtube.com%2FgetAccountSwitcherEndpoint
                            Strict-Transport-Security: max-age=31536000
                            X-Frame-Options: SAMEORIGIN
                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
                            Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="youtube_main"
                            Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                            Date: Wed, 15 Feb 2023 04:33:33 GMT
                            Server: ESF
                            Content-Length: 0
                            X-XSS-Protection: 0
                            Set-Cookie: CONSENT=PENDING+033; expires=Fri, 14-Feb-2025 04:33:33 GMT; path=/; domain=.youtube.com; Secure
                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                            Connection: close


                            Click to jump to process

                            Click to jump to process

                            • File
                            • Network

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:05:33:30
                            Start date:15/02/2023
                            Path:C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
                            Imagebase:0xa20000
                            File size:7806464 bytes
                            MD5 hash:196B4E0F90BDD2C119B7EF9E3A1EFA97
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            Target ID:1
                            Start time:05:33:32
                            Start date:15/02/2023
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\601964e6-093a-4525-a304-c557a4a357be.exe
                            Imagebase:0x7ff707bb0000
                            File size:273920 bytes
                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:2
                            Start time:05:33:32
                            Start date:15/02/2023
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:3
                            Start time:05:33:32
                            Start date:15/02/2023
                            Path:C:\Windows\System32\choice.exe
                            Wow64 process (32bit):false
                            Commandline:choice /C Y /N /D Y /T 0
                            Imagebase:0x7ff77b960000
                            File size:33280 bytes
                            MD5 hash:EA29BC6BCB1EFCE9C9946C3602F3E754
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Non-executed Functions

                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32 ref: 00E1F865
                            • GetCurrentProcessId.KERNEL32 ref: 00E1F870
                            • GetCurrentThreadId.KERNEL32 ref: 00E1F878
                            • GetTickCount.KERNEL32 ref: 00E1F880
                            • QueryPerformanceCounter.KERNEL32 ref: 00E1F88E
                            Memory Dump Source
                            • Source File: 00000000.00000002.262713009.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                            • Associated: 00000000.00000002.262706956.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263887283.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263895318.0000000000E2D000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263953372.0000000000E55000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263960132.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263965722.0000000000E57000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263970945.0000000000E58000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263977242.0000000000E5B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263983422.0000000000E5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263988601.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.263997874.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264493499.0000000001186000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264493499.00000000011B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264493499.00000000011B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264493499.00000000011DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264493499.00000000011E6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264528480.00000000011E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264536644.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264542265.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.264546864.00000000011EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a20000_601964e6-093a-4525-a304-c557a4a357be.jbxd
                            Similarity
                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                            • String ID:
                            • API String ID: 1445889803-0
                            • Opcode ID: 881144c4d080a5c749eb505f5bd808957dd4c64713221c7bea338408f6391d5c
                            • Instruction ID: 469934612cffb2451369703e8da03f787a4dcb49f62c0ca9712bd2299bf1bf9e
                            • Opcode Fuzzy Hash: 881144c4d080a5c749eb505f5bd808957dd4c64713221c7bea338408f6391d5c
                            • Instruction Fuzzy Hash: 1B11A036712A5086FB504B65F804396B3A0B748BF4F085B31DE5C13BA4EE3CC98AC700
                            Uniqueness

                            Uniqueness Score: -1.00%