Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538494
MD5:c2437df2b81c3abf87f04873ddf9ba9d
SHA1:d52387ccd75a7fd348688274eebf9d5d1396c256
SHA256:c85b7c9e1936855bf7e5142b7f8ddcf55b6d99c934a0186951a925e7dc7c34b4
Tags:exeuser-Bitsight
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • file.exe (PID: 2324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C2437DF2B81C3ABF87F04873DDF9BA9D)
    • file.tmp (PID: 5956 cmdline: "C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe" MD5: 2219368033CD980984845AAAB1FAB363)
      • cmd.exe (PID: 5976 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.6% probability
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 104.21.29.144:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr

Networking

barindex
Source: DNS query: pleasuresky.xyz
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /pe/start/index.php?a=2927&p=4143&t=51166691 HTTP/1.1Accept: */*User-Agent: InnoDownloadPlugin/1.5Host: pleasuresky.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: pleasuresky.xyz
Source: file.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.drString found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: file.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.drString found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: file.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: file.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2521163705.00000000009C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/
Source: file.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/e
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/osoft
Source: file.exe, 00000002.00000003.2522338093.00000000022C2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2463639875.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2468497492.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.000000000099E000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2519669526.0000000000C51000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2519669526.0000000000C6E000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691
Source: file.tmp, 00000003.00000003.2518734526.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=511666918
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691Authority
Source: file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691D4
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691l
Source: file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691yv
Source: file.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.drString found in binary or memory: https://www.innosetup.com/
Source: file.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownHTTPS traffic detected: 104.21.29.144:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: file.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.exe, 00000002.00000003.2465108220.000000007FE35000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000002.00000003.2464708641.0000000002668000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000002.00000003.2522338093.00000000022D8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs file.exe
Source: file.exe, 00000002.00000000.2463344098.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs file.exe
Source: file.exeBinary or memory string: OriginalFileName vs file.exe
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal52.troj.winEXE@6/3@1/1
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat""
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: file.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat""Jump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: file.exeStatic file information: File size 1764409 > 1048576
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr
Source: file.exeStatic PE information: section name: .didata
Source: file.tmp.2.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\idp.dllJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: file.tmp, 00000003.00000003.2515567178.0000000000982000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"~
Source: file.tmp, 00000003.00000003.2515567178.0000000000982000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts2
Command and Scripting Interpreter
1
Scripting
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Process Injection
LSASS Memory2
System Owner/User Discovery
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538494 Sample: file.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 52 26 pleasuresky.xyz 2->26 30 Machine Learning detection for sample 2->30 32 AI detected suspicious sample 2->32 9 file.exe 2 2->9         started        signatures3 34 Performs DNS queries to domains with low reputation 26->34 process4 file5 20 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 9->20 dropped 12 file.tmp 3 20 9->12         started        process6 dnsIp7 28 pleasuresky.xyz 104.21.29.144, 443, 49722, 49724 CLOUDFLARENETUS United States 12->28 22 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 12->22 dropped 24 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->24 dropped 16 cmd.exe 1 12->16         started        file8 process9 process10 18 conhost.exe 16->18         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe8%ReversingLabs
file.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\idp.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://www.remobjects.com/ps0%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
NameIPActiveMaliciousAntivirus DetectionReputation
pleasuresky.xyz
104.21.29.144
truetrue
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691false
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUfile.exefalse
        unknown
        https://pleasuresky.xyz/osoftfile.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691lfile.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
            unknown
            https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691D4file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691Authorityfile.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                unknown
                https://www.remobjects.com/psfile.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.drfalse
                • URL Reputation: safe
                unknown
                https://www.innosetup.com/file.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.drfalse
                • URL Reputation: safe
                unknown
                https://pleasuresky.xyz/file.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2521163705.00000000009C6000.00000004.00000020.00020000.00000000.sdmpfalse
                  unknown
                  https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=511666918file.tmp, 00000003.00000003.2518734526.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691yvfile.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      https://pleasuresky.xyz/efile.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://bitbucket.org/mitrich_k/inno-download-pluginfile.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.drfalse
                          unknown
                          http://mitrichsoftware.wordpress.comBfile.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.drfalse
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            104.21.29.144
                            pleasuresky.xyzUnited States
                            13335CLOUDFLARENETUStrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1538494
                            Start date and time:2024-10-21 12:57:31 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal52.troj.winEXE@6/3@1/1
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe
                            No simulations
                            No context
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSMessage_2530136.emlGet hashmaliciousUnknownBrowse
                            • 1.1.1.1
                            https://www.childkorea.or.kr/bbs/link.html?code=alarm&number=3064&url=https://form.jotform.com/242923371946059Get hashmaliciousHTMLPhisherBrowse
                            • 104.19.229.21
                            FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 188.114.97.3
                            Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 188.114.97.3
                            https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                            • 104.26.5.9
                            Spedizione.vbsGet hashmaliciousUnknownBrowse
                            • 172.67.75.40
                            https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                            • 104.26.5.9
                            FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 188.114.97.3
                            PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 188.114.97.3
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 172.67.206.204
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.29.144
                            Spedizione.vbsGet hashmaliciousUnknownBrowse
                            • 104.21.29.144
                            FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.29.144
                            PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.29.144
                            rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                            • 104.21.29.144
                            450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                            • 104.21.29.144
                            450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                            • 104.21.29.144
                            3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                            • 104.21.29.144
                            Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                            • 104.21.29.144
                            3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                            • 104.21.29.144
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmphttps://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                              http://www.5movierulz.momGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                  NETGATE Spy Emergency.exeGet hashmaliciousAmadeyBrowse
                                    NETGATE Spy Emergency.exeGet hashmaliciousAmadeyBrowse
                                      file.exeGet hashmaliciousUnknownBrowse
                                        file.exeGet hashmaliciousAmadey, AsyncRAT, Clipboard Hijacker, Cryptbot, MicroClip, Neoreklami, RedLineBrowse
                                          SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exeGet hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exeGet hashmaliciousUnknownBrowse
                                              SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                Process:C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.720366600008286
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: , Detection: malicious, Browse
                                                • Filename: , Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.FileRepMalware.4445.21502.exe, Detection: malicious, Browse
                                                • Filename: NETGATE Spy Emergency.exe, Detection: malicious, Browse
                                                • Filename: NETGATE Spy Emergency.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.FileRepMalware.27261.32754.exe, Detection: malicious, Browse
                                                Reputation:high, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                Process:C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):237568
                                                Entropy (8bit):6.42067568634536
                                                Encrypted:false
                                                SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                MD5:55C310C0319260D798757557AB3BF636
                                                SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................
                                                Process:C:\Users\user\Desktop\file.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3199488
                                                Entropy (8bit):6.325056825200418
                                                Encrypted:false
                                                SSDEEP:49152:2WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TY:6tLutqgwh4NYxtJpkxhGj333T
                                                MD5:2219368033CD980984845AAAB1FAB363
                                                SHA1:75ADB7A0B831BB2231542F5425B0A2556CC5E83C
                                                SHA-256:ADEEB9485BFA46AD723159D4EEB44C43CE1A4298FB2C63F50C172F27B2574BA5
                                                SHA-512:65737625269297922ACFC234D2949A8463424DAC43EC0208920C5D402E3A749D74F9E0AC491CE325957E763FA40A2AA02DACC020126C34441F3288711411B873
                                                Malicious:false
                                                Reputation:low
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................
                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.461058379866431
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                                • Inno Setup installer (109748/4) 1.08%
                                                • InstallShield setup (43055/19) 0.42%
                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                File name:file.exe
                                                File size:1'764'409 bytes
                                                MD5:c2437df2b81c3abf87f04873ddf9ba9d
                                                SHA1:d52387ccd75a7fd348688274eebf9d5d1396c256
                                                SHA256:c85b7c9e1936855bf7e5142b7f8ddcf55b6d99c934a0186951a925e7dc7c34b4
                                                SHA512:b7d95c1107b9446747c76cb2ddaf38a8a4e5da98186c7295b5beab7a0999168cd8d694bc646ff86a30aeca97df1a18093c1a102c689d018c1ab49679d0ed0539
                                                SSDEEP:24576:s7FUDowAyrTVE3U5F/yGqK1WKic6QL3E2vVsjECUAQT45deRV9R/L:sBuZrEUvGKIy029s4C1eH9l
                                                TLSH:C785CF3FF268A13EC46A1B3245739320997BBA61B81A8C1E47FC344DCF765601E3B656
                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                Icon Hash:0c0c2d33ceec80aa
                                                Entrypoint:0x4b5eec
                                                Entrypoint Section:.itext
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:1
                                                File Version Major:6
                                                File Version Minor:1
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:1
                                                Import Hash:e569e6f445d32ba23766ad67d1e3787f
                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                add esp, FFFFFFA4h
                                                push ebx
                                                push esi
                                                push edi
                                                xor eax, eax
                                                mov dword ptr [ebp-3Ch], eax
                                                mov dword ptr [ebp-40h], eax
                                                mov dword ptr [ebp-5Ch], eax
                                                mov dword ptr [ebp-30h], eax
                                                mov dword ptr [ebp-38h], eax
                                                mov dword ptr [ebp-34h], eax
                                                mov dword ptr [ebp-2Ch], eax
                                                mov dword ptr [ebp-28h], eax
                                                mov dword ptr [ebp-14h], eax
                                                mov eax, 004B14B8h
                                                call 00007FE114CB4AF5h
                                                xor eax, eax
                                                push ebp
                                                push 004B65E2h
                                                push dword ptr fs:[eax]
                                                mov dword ptr fs:[eax], esp
                                                xor edx, edx
                                                push ebp
                                                push 004B659Eh
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                mov eax, dword ptr [004BE634h]
                                                call 00007FE114D575E7h
                                                call 00007FE114D5713Ah
                                                lea edx, dword ptr [ebp-14h]
                                                xor eax, eax
                                                call 00007FE114CCA594h
                                                mov edx, dword ptr [ebp-14h]
                                                mov eax, 004C1D84h
                                                call 00007FE114CAF6E7h
                                                push 00000002h
                                                push 00000000h
                                                push 00000001h
                                                mov ecx, dword ptr [004C1D84h]
                                                mov dl, 01h
                                                mov eax, dword ptr [004238ECh]
                                                call 00007FE114CCB717h
                                                mov dword ptr [004C1D88h], eax
                                                xor edx, edx
                                                push ebp
                                                push 004B654Ah
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                call 00007FE114D5766Fh
                                                mov dword ptr [004C1D90h], eax
                                                mov eax, dword ptr [004C1D90h]
                                                cmp dword ptr [eax+0Ch], 01h
                                                jne 00007FE114D5D88Ah
                                                mov eax, dword ptr [004C1D90h]
                                                mov edx, 00000028h
                                                call 00007FE114CCC00Ch
                                                mov edx, dword ptr [004C1D90h]
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x11000.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0xc70000x110000x11000aa582c7b4149c35de3e0ceb313a6d683False0.18564740349264705data3.6923482927822073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xc76780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                RT_ICON0xc80e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                RT_ICON0xc87480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                RT_ICON0xc8a300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                RT_ICON0xc8b580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                RT_ICON0xca1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                RT_ICON0xcb0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                RT_ICON0xcb8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                RT_ICON0xcbe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                RT_ICON0xcd1200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                RT_ICON0xd13480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                RT_ICON0xd38f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                RT_ICON0xd49980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                RT_STRING0xd4e000x360data0.34375
                                                RT_STRING0xd51600x260data0.3256578947368421
                                                RT_STRING0xd53c00x45cdata0.4068100358422939
                                                RT_STRING0xd581c0x40cdata0.3754826254826255
                                                RT_STRING0xd5c280x2d4data0.39226519337016574
                                                RT_STRING0xd5efc0xb8data0.6467391304347826
                                                RT_STRING0xd5fb40x9cdata0.6410256410256411
                                                RT_STRING0xd60500x374data0.4230769230769231
                                                RT_STRING0xd63c40x398data0.3358695652173913
                                                RT_STRING0xd675c0x368data0.3795871559633027
                                                RT_STRING0xd6ac40x2a4data0.4275147928994083
                                                RT_RCDATA0xd6d680x10data1.5
                                                RT_RCDATA0xd6d780x2c4data0.6384180790960452
                                                RT_RCDATA0xd703c0x2cdata1.1818181818181819
                                                RT_GROUP_ICON0xd70680xbcdataEnglishUnited States0.6170212765957447
                                                RT_VERSION0xd71240x584dataEnglishUnited States0.2471671388101983
                                                RT_MANIFEST0xd76a80x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                DLLImport
                                                kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                comctl32.dllInitCommonControls
                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW
                                                NameOrdinalAddress
                                                TMethodImplementationIntercept30x4541a8
                                                __dbk_fcall_wrapper20x40d0a0
                                                dbkFCallWrapperAddr10x4be63c
                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States
                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 21, 2024 12:59:10.442321062 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:10.442356110 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:10.442495108 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:10.454899073 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:10.454924107 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.198637009 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.198770046 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.346681118 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.346704960 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.347045898 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.347342968 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.358946085 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.399331093 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.597548962 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.597599983 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.597614050 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.597754955 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.597871065 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.597871065 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.597887993 CEST44349722104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.598084927 CEST49722443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.619204044 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.619230032 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:11.619340897 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.619798899 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:11.619812012 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.233426094 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.233501911 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.234433889 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.234440088 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.235009909 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.235013962 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.490223885 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.490299940 CEST44349724104.21.29.144192.168.2.6
                                                Oct 21, 2024 12:59:12.490335941 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.490406036 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.592097998 CEST49724443192.168.2.6104.21.29.144
                                                Oct 21, 2024 12:59:12.592128038 CEST44349724104.21.29.144192.168.2.6
                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 21, 2024 12:59:10.186121941 CEST5210853192.168.2.61.1.1.1
                                                Oct 21, 2024 12:59:10.435888052 CEST53521081.1.1.1192.168.2.6
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 21, 2024 12:59:10.186121941 CEST192.168.2.61.1.1.10xcb47Standard query (0)pleasuresky.xyzA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 21, 2024 12:59:10.435888052 CEST1.1.1.1192.168.2.60xcb47No error (0)pleasuresky.xyz104.21.29.144A (IP address)IN (0x0001)false
                                                Oct 21, 2024 12:59:10.435888052 CEST1.1.1.1192.168.2.60xcb47No error (0)pleasuresky.xyz172.67.149.68A (IP address)IN (0x0001)false
                                                • pleasuresky.xyz
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649722104.21.29.1444435956C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp
                                                TimestampBytes transferredDirectionData
                                                2024-10-21 10:59:11 UTC183OUTHEAD /pe/start/index.php?a=2927&p=4143&t=51166691 HTTP/1.1
                                                Accept: */*
                                                User-Agent: InnoDownloadPlugin/1.5
                                                Host: pleasuresky.xyz
                                                Connection: Keep-Alive
                                                Cache-Control: no-cache
                                                2024-10-21 10:59:11 UTC755INHTTP/1.1 200 OK
                                                Date: Mon, 21 Oct 2024 10:59:11 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Connection: close
                                                X-Powered-By: PHP/7.2.7
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8u8j9W0KmCYvxAi345%2BB6pVZ0Ab6XJZimOqcsEYDtYacmuj4QZIuUAIpop1weDRPuPwJ00WzL6mYClvWXG9OSDeYZCS5js4szxRW2HcGaAWpRczLF5ogwmYzZd87Hn0RrTI%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8d60bc9c6a206c3c-DFW
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=2161&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=797&delivery_rate=1302744&cwnd=251&unsent_bytes=0&cid=e892f44c36e939d9&ts=521&x=0"


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.649724104.21.29.1444435956C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp
                                                TimestampBytes transferredDirectionData
                                                2024-10-21 10:59:12 UTC182OUTGET /pe/start/index.php?a=2927&p=4143&t=51166691 HTTP/1.1
                                                Accept: */*
                                                User-Agent: InnoDownloadPlugin/1.5
                                                Host: pleasuresky.xyz
                                                Connection: Keep-Alive
                                                Cache-Control: no-cache
                                                2024-10-21 10:59:12 UTC793INHTTP/1.1 200 OK
                                                Date: Mon, 21 Oct 2024 10:59:12 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.2.7
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ibr84XP51sPEXVUiPdk59dSiwxyoe91UY6YylO%2FctqGwBHXkCih1w97GbEAbjcK%2FRVCQJZX0OEpvaZ0z9eJzSEhP55jIp61%2FHg9UlABa7N9H%2BHzfrlzVGu71k2%2B%2BtZRgANM%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8d60bca1eff36bac-DFW
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1079&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=796&delivery_rate=2429530&cwnd=247&unsent_bytes=0&cid=2685474b0fbc1534&ts=262&x=0"
                                                2024-10-21 10:59:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:2
                                                Start time:06:59:06
                                                Start date:21/10/2024
                                                Path:C:\Users\user\Desktop\file.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                Imagebase:0x400000
                                                File size:1'764'409 bytes
                                                MD5 hash:C2437DF2B81C3ABF87F04873DDF9BA9D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                Target ID:3
                                                Start time:06:59:07
                                                Start date:21/10/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe"
                                                Imagebase:0x400000
                                                File size:3'199'488 bytes
                                                MD5 hash:2219368033CD980984845AAAB1FAB363
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                Target ID:6
                                                Start time:06:59:12
                                                Start date:21/10/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat""
                                                Imagebase:0x1c0000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:7
                                                Start time:06:59:12
                                                Start date:21/10/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                No disassembly